1. Why is it necessary for us to provide the flag -fno-stack-protector to GCC? What is a canary in terms of a buffer overflow and how can a canary prevent a buffer overflow exploit?
2. If the game above was written in Java instead of C, would the savegame still be exploitable?
3. Imagine you were exploiting a program that was running with escalated privileges (i.e. could read sensitive files, modify other users settings and so on) is it possible to obtain a BASH shell using buffer overflows? Be sure to explain what shellcode is and how the shellcode is executed.
Low Level Exploits
We were able to manipulate the gold of this game by inputting the name greater than 10 bytes. However, in C a char works in 4 byte increments called words, which means that even if we have a char that is 10 bytes long, it will still remain in the same memory address for 12 bytes. So we inputted a name that was 12 bytes long which then overflowed into the next memory address space which was the gold integer. In C a struct puts the memory addresses next to each other. This is relevant because when we overflow the name variable the excess bytes get stored in the gold variable. To change the gold to over 9000 we have to overflow in a specific way. After we have our 12 byte input, the next bytes we input as ASCII characters will be stored as the hexadecimal representation in the memory address of gold. For example, if our extra bytes are *** and our 12 bytes name is 12-byte-name then the hex representation of the ASCII characters *** will be 2A,2A,2A which is represented as 0x2A2A2A. And this number converted into decimal is 2763306.
hen the input is too long, it seems like a bad behavior. Because, when the stack overflow occurred in ASCII character, then the error message will be displayed which is based on the programs installed on the operating system (attacks?, 2017). The allocation of memory space will be varied for each C compilers. After completing the buffer storage area, it is impossible to create the integer type. So that, the 'Word' datatype is recommended to use for 12 bytes. After completing this 12 bytes, the input will be stored in the gold’s memory address as the hexadecimal values. Finally it is converted into decimal value.
One method is to use a managed language like C# or Python. These languages have out of bound checking on arrays automatically so you cannot overflow at all. Another method is to use a statistical analysis program that will parse the program and attempt to find buffer overflows. This is expensive and time consuming. So one of the best methods is to use a stack canary which is a 4 or 8 byte number located before the return memory address which allows us to verify that the canary has not been changed before it is returned.
The chosen programming language should have direct memory access and the classes can provide the memory handling functionality such as std::string. But if we are using these classes often and more, then the problem will be occurred in memory space. Another efficient method is using the code analysis tools such as Veracode, Fortify and Qualys to identify any buffer flows in code. Then the overflow will be identified and fixed (Cse.scu.edu, 2017).
The implemented exploit will be more useful because, it helps to modify the memory space of any program in any sorted order while the exploit is presented. To control the flow of entire process, the arbitrary machine code is written because generating the arbitrary machine code is not a difficult task. So for the control flow process can be done by creating an account on a target machine and also by altering the configuration of the target machine. This process can be done by revising the return address of the function into another function that contains the malicious code. It can be applied on any type of machine or program. This program can be an unmanaged language like web server or proprietary login manager for gaining the remote access from there, whatever we like.
We have to use the flag -fno-stack-protector because otherwise our command will fail because there is stack smashing protection automatically added to GCC. This flag adds a canary which is a 4 or 8 byte value located before the return address which must be checked against an expected result or else the program will terminate due to a corrupted canary.
The canary is a value which represents the stack-allocated data. It is located between control data of stack and the buffer. It helps to monitor any buffer overflows on the stack. When the buffer is overflowed the canary value will be destroyed. It shows that the overflow can be precede over by the buffer. After examining the canary value, if it found that the program is affected by malicious code, then the execution process will be terminated automatically. So it prevents the program from the attacker. There are three types of canaries such as terminator canaries, random canaries and random XOR canaries. The terminator canaries use the method strcpy() to prevent from the attacker. Because it won't copies the null character. The random canaries helps to know the attacker while reading the program from the stack. These canaries provide the re-encoding methodology for the protection (SearchSecurity, 2017).
The canary becomes corrupted by being overwritten or changed by a buffer overflow. So this is an effective method to find and prevent buffer overflows.
If the game was written in JAVA it would no longer be exploitable because Java includes out of bound checking on its arrays and would return an ArrayOutOfBound error which would terminate the program instead of overwriting memory.
If the program we were exploiting ran on escalated privileges, we could run arbitrary machine code through a buffer overflow that would execute a bash shell by running the ‘/bin/sh’. After running /bin/sh we now have terminal window that we can run other commands that we like. This is known as shell code.
At first, the 'objdump' is used for getting the static address. Then this command will be ran with 'gdb'. After executing this command, the address of the stack can be easily found. Then the buffer will be filled out with the string which helps to overwrite the return address in the buffer. Now we can insert the exploit code instead of inserting the code from other program.
We were able to login as any user we wanted provided that we had the user name by injecting a sql statement into the password field. For our password we input the line ‘ OR “” = “”;-- which means that first we close the password field with the ‘ and then we insert an OR statement which checks if the statement “” = “” is true, which it always is. Then, we ignore the rest of the sql line by inserting the comment symbol -- .
The SQL query will be created while the user entering the user name and password. Then it will be executed for validating these inputs with the details which are stored in the database. If the match is found then it granted the permission for user. As this security mechanism is bypassing, the SQL code need to be injected into the fields of inputs. The the result will be obtained by executing the valid SQL statement. If any errors occurred in the SQL query syntax, the valid result cannot be obtained. So that the random SQL commands never provide the successful authentication process (Sechow.com, 2017).
We could get the password of Bobby by querying his username in a second select statement. However, because the database does not allow two select statements at the same time, we had to use the UNION keyword which joins the results from two select statements into one. And since the fetchone command uses our most recent select statement, we will be able to display the answer to the last query. Using the union our sql injection was ‘ UNION SELECT password FROM Users WHERE username = ‘Bobby’;-- which would give us the answer User UNION SELECT password FROM Users WHERE username = ‘Bobby’;-- is lolcats .
One way to prevent these attacks is to allow the sql library to place the argument. The current code uses the python format to place a user provided string directly into the query whereas if you let the sql library to do it using the keyword ? Then it will convert it into a sql statement and also escaping the commands. It is a difficult problem to fix because it is so easy to allow these exploits to take place and also because when exploits happen it is completely transparent to you because there will be no errors returned since its normal sql code. And it is common because most database engineers do not factor in sql attacks when designing the architecture. Or because you may be using insecure infrastructure of old version of databases or you may not have enough time or money to go through your code and look for vulnerabilities.
The SQL injections are very common vulnerabilities and it will be happened by following factors (Securityidiots.com, 2017).
- Interesting data
- Critical data
- Vulnerabilities of the SQL injection significance
For protection the following steps are applied.
- Primary defenses
- prepared statements usage
- stored procedures usage
- Removing the inputs that are given by the user
- Additional Defenses
- Providing the least privilege
- Performing the white list input validating process
To overcome the problem of SQL injection attacks, the following steps are needed.
- The input given by the user should be validated with the range, length, type and format
- To access the particular data, the type-safe parameters of SQL are need to be used. These parameters are used along with the stored procedures. The type checking process can be done by using 'SqlParameterCollection'. Because, the length validation and type checking are provided by this parameter collection. The major advantage of this constraint is that the user input can be accepted as the literal value. So that it cannot be treated as the executable code by the SQL server.
- The direct table access cannot be provided for the chosen stored procedure.
While any errors found in database, the entire detail about the database error should not be enclosed (Msdn.microsoft.com, 2017).
attacks?, W. (2017). What are the prevention techniques for the Buffer overflow attacks?. [online] Stackoverflow.com. Available at: https://stackoverflow.com/questions/3705547/what-are-the-prevention-techniques-for-the-buffer-overflow-attacks [Accessed 8 Jun. 2017].
Cse.scu.edu. (2017). Buffer Overflow Attack. [online] Available at: https://www.cse.scu.edu/~tschwarz/coen152_05/Lectures/BufferOverflow.html [Accessed 8 Jun. 2017].
Msdn.microsoft.com. (2017). How To: Protect From SQL Injection in ASP.NET. [online] Available at: https://msdn.microsoft.com/en-us/library/ff648339.aspx [Accessed 8 Jun. 2017].
SearchSecurity. (2017). How to stop buffer-overflow attacks and find flaws, vulnerabilities. [online] Available at: https://searchsecurity.techtarget.com/tip/How-to-stop-buffer-overflow-attacks-and-find-flaws-vulnerabilities [Accessed 8 Jun. 2017].
SearchSecurity. (2017). What is buffer overflow? - Definition from WhatIs.com. [online] Available at: https://searchsecurity.techtarget.com/definition/buffer-overflow [Accessed 8 Jun. 2017].
Sechow.com. (2017). SQL injection | OWASP Bricks Login page #1. [online] Available at: https://sechow.com/bricks/docs/login-1.html [Accessed 8 Jun. 2017].
Securityidiots.com. (2017). Login Bypass Using SQL Injection. [online] Available at: https://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html [Accessed 8 Jun. 2017].