Stack Overflow>
If a program is written in weakly typed language such as C/C++ and/or copies from one buffer on the stack to another then it might be vulnerable to stack overflow attack.
**should avoid using "gets()".
Example>
*************************************
#include
void f(char* s) {
char buffer[10];
strcpy(buffer, s);
}
void main(void) {
f("01234567890123456789");
}
[root /tmp]# ./stacktest
Segmentation fault
************************************
Heap Overflow>
If a code is written in weakly typed language and it doesn't use canary values or capable of using executalbe stacks then it is vulnerable.
Format string vulnerablity>
By using functions such as printf, sprintf directly, or inderctly through system services.
This situation tends to become precarious on account of the fact that a user who can supply format specifiers can perform
the following malicious actions:
Enumerate Process Stack:
This allows an adversary to view stack organization of the vulnerable process by supplying format
strings, such as %x or %p, which can lead to leakage of sensitive information. It can also be used to extract canary values
when the application is protected with a stack protection mechanism. Coupled with a stack overflow, this information can
be used to bypass the stack protector.
Control Execution Flow:
This vulnerability can also facilitate arbitrary code execution since it allows writing 4 bytes of data
to an address supplied by the adversary. The specifier %n comes handy for overwriting various function pointers in memory
with address of the malicious payload. When these overwritten function pointers get called, execution passes to the
malicious code.
Denial of Service:
If the adversary is not in a position to supply malicious code for execution, the vulnerable application can
be crashed by supplying a sequence of %x followed by %n.
Example>
******************************************
#include
#include
#include
#include
void main(void) {
char str[100] = scanf("%s");
printf("%s", str);
}
*****************************************
change the last statement to printf(str) and the input like -> %08x%08x%08x%08x%08x
from this input the program can be exploited to print the first five entries from the stack.
Unicode Overflow>
written in weakly typed language, take Unicode from user, doesn't use technique as canary values to prevent buffer overflow and doesn't sanitize the input then its vulnerable to Unicode overflow.
Integer Overflow>
When an application takes two numbers of fixed word size and perform an operation with them, the result may not fit within the same word size.
Example>
****************************************
#include
#include
void main(int argc, char *argv[]) {
int i = atoi(argv[1]); // input from user
unsigned short s = i; // truncate to a short
char buf[50]; // large buffer
if (s > 10) { // check we're not greater than 10
return;
}
memcpy(buf, argv[2], i); // copy i bytes to the buffer
buf[i] = '\0'; // add a null byte to the buffer
printf("%s\n", buf); // output the buffer contents
return;
}
[root /tmp]# ./inttest 65580 foobar
Segmentation fault
***************************************
**should examine the use of signed integers, bytes and short
after airthmetic operations
**should check for exceptions if language supports.
Log Forging>
When data is entered into application from untrusted source and the data written to the app's log file then log forging is occuring.
Example>
***************************************
String val = request.getParameter("val");
try {
int value = Integer.parseInt(val);
}
catch (NumberFormatException) {
log.info("Failed to parse val = " + val);
}
output: INFO: Failed to parse val=twenty-one __ for input, twenty-one
output: INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy __ for input, "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy"
***************************************
Process Control>
Excecuting commands from unknown source.
Example>
*******************************************
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);
here changing the "APPHOME" syatem proeprty an attacker can insert malicious object's path to execute
--------
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);
here btype is not validdated.If an attacker passes a string of the form "&& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program
***********************************************
Example>(Ref from owasp testing_guide)
*********************************************
void log_create(int severity, char *inpt) {
char b[1024];
if (severity == 1)
{
strcat(b,”Error occured on”);
strcat(b,":");
strcat(b,inpt);
FILE *fd = fopen ("logfile.log", "a");
fprintf(fd, "%s", b);
fclose(fd);
. . . . . .
}
in the bove code in line "strcpy(b.input)"
overflow will occur if inpt exceeds 1024 bytes.
*******************************************************
Example>(Ref from owasp testing_guide)
******************************************************
Void func(char *path)
{
char servaddr[40];
…
memccpy(servaddr,path,'\');
….
}
In the above code information in the "path" can be longer than 40 bytes before "\" character can be found. In that case stack overflow would occur.
********************************************************
Tools: RATS, Flawfinder and ITS4 are available for analyzing C-style languages.
Info Ref: http://www.owasp.org/index.php/Buffer_Overflows
No comments:
Post a Comment