Libsafe for Windows - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Libsafe for Windows

Description:

Windows is also susceptible to buffer overflow attacks. ... The buffer overflow should be caused by the ... This implies that the buffer has to be on the stack. ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 15
Provided by: shuo
Category:

less

Transcript and Presenter's Notes

Title: Libsafe for Windows


1
Libsafe for Windows
  • Shuo Chen
  • Mentor Timothy K. Tsai
  • Avaya Labs
  • Aug. 16, 2001

2
Background Libsafe for Linux
  • Released in April 2000, Libsafe has gained
    popularity in the Linux community.
  • Libsafe is very easy to install. Once installed,
    Libsafe does its job transparently.
  • Libsafe does not need access to the source code
    of the program to be protected.
  • Libsafe protection is system-wide. Libsafe
    automatically attaches to applications.
  • Libsafe incurs only a slight overhead.

3
Motivation for porting Libsafe to Windows
  • Windows is also susceptible to buffer overflow
    attacks.
  • Windows is also susceptible to buffer overflow
    attacks.
  • Unchecked string functions are still widely used
    in Windows system DLLs and applications.
  • Unchecked string functions are still widely used
    in Windows system DLLs and applications.

From 1999 to 2001, there were 54 buffer overflow
bugs reported to SecurityFocus.com for Microsoft
products running on Windows. Eleven of them were
reported between Jan. 2001 and August 2001.
Our investigation reveals that 1) 63 of
executables and DLLs are still using unchecked
string functions. 2) 83 of services are still
using unchecked string functions.
4
Magic of Microsoft Detours
  • Runtime insertion of the detour function and
    trampoline functions between source function and
    target function.

5
Sample exploit program
Buffer (80 bytes) fp ra
Attack code g
a b
r u b f
a f
g e
e r
void foo(char input_string) char buffer80
strcpy(buffer,input_string)
return /input_string attack
codegarbagebuffer total length 88 bytes
/
A vulnerable program running without Libsafe
6
Sample exploit program(cont.)
Buffer (80 bytes) fp ra
void foo(char input_string) char buffer80
strcpy(buffer,input_string)
return /len(input_string)88 bytes/ char
libsafeStrcpy( char dest,
const char src) if (src is longer than
max_size) report the event else
return strcpy(dest,src)
max_size80
A vulnerable program running with Libsafe
7
Real exploit vCard buffer overflow
  • When a .vcf file contains a long BDAY string, a
    buffer in Windows Address Book (wab.exe) will
    overflow.
  • BEGINVCARD
  • VERSION2.1
  • NChenShuo
  • FNShuo Chen
  • BDAY19750317AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAA
  • EMAILPREFINTERNETshuochen_at_avaya.com
  • REV20010619T141800Z
  • ENDVCARD

8
Real exploit Netscape Smartdownload 1.3 buffer
overflow
  • A component for URL parsing has an unchecked
    buffer.
  • ltHTMLgtltBODYgt
  • This is a test.ltPgt
  • ltA HREF"http//www.yahoo.com/AAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAA.zip" onMouseOver"window.status'I am
    friendly' return true"gtCrash Melt/AgtltPgt
  • End test.
  • lt/BODYgtlt/HTMLgt

9
Real exploit FrontPage Server Extension
sub-component buffer overflow vulnerability
  • When we make the following request
  • curl http//TARGET/_vti_bin/_vti_aut/fp30reg.dl
    l?perl -e 'print "A"x258'
  • we get such response
  • ltHEADgtltTITLEgtHTTP Error 501lt/TITLEgtlt/HEADgtltBODYgtlt
    H1gtNOT IMPLEMENTEDlt/H1gtThe server is unable to
    perform the method ltbgtAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlt/bgt at this
    time.lt/BODYgt
  •  
  • But if that it is longer than 258 bytes, a buffer
    overflow will occur.
  • curl http//TARGET/_vti_bin/_vti_aut/fp30reg.
    dll?perl -e 'print "A"x259'

10
IIS running without Libsafe Remote attack
succeeds (Screen Shots)
Start attack from kira
Try to get a shell
Get full access
11
IIS running with Libsafe Remote attack fails
(Screen Shots)
Start attack from kira
Try to get a shell
Attack fails
12
Limitations of Libsafe
  • The buffer overflow should be caused by the
    string functions intercepted by Libsafe.
  • The program to be protected should use
    frame-pointers.
  • The attack string should try to overwrite the
    return address. This implies that the buffer has
    to be on the stack.
  • (Libsafe is bypassed when it cannot handle the
    situation. It does no harm to the program.)

13
My work in this summer
  • Investigated the effectiveness of Libsafe on
    Windows
  • Ported Libsafe to Windows
  • Tested Libsafe with sample/real-world exploit
    programs
  • Wrote a detailed TM
  • This work will be distributed internally and
    externally

14
Acknowledgment
  • My mentor Tim Tsai
  • ARC Help people Tarek Warraky, Lookman Fazal and
    Eniko Kovacs
  • My first-week-mentors Navjot Singh and
    Hamilton Slye
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Libsafe for Windows" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!