3. Who am I
Sanghwan,Ahn (h2spice)
Security Researcher in Team (NSHC.Inc)
Vulnerability/Malware Analysis , Hunting Bug , Mobile Security
313년 7월 3일 수요일
4. Agenda
Introduction about Vulnerability
What is The Vulnerability
How to Use Vulnerabilities
The Reason we must find vulnerabilities
Before finding vulnerability, things we should know
What knowledge will help you
What experience will help you
Think and Act like a hacker
413년 7월 3일 수요일
5. Agenda
How can we find vulnerability ?
Superficial analysis on the target
Internal analysis on the target
Occurs Crash
Demonstration
ActiveX module on Banking / Financial
Conclusion
513년 7월 3일 수요일
7. What is The Vulnerability
in a narrow perspective
Weakness, Flaw from hardware, software of computer
Loopholes in the system , in the design
Allows an attacker to reduce system’s information assurance
(eg. execution of arbitrary code , bypass security mitigation)
in a broad perspective
refers to all of the information security risks ,including user and
administrator’s negligence or by social engineering weaknesses
713년 7월 3일 수요일
8. Financial benefits
Information stealing
APT (Advanced Persistent Threat)
PDF, HWP, MSWord Vulnerability
3.20 Korean Terrorism
Random Target Attack
Via Web Browser Vulnerability
Making Zombie
How to use the vulnerability
[Refer to FireEye’s Next-Generation Threats]
813년 7월 3일 수요일
9. Percentage of Total Infections
[According to FireEye Cyber Attack Landscape]
Other : 3%
Logistics/Transportation : 5%
Retail : 6%
Business Services : 6%
Telecommunications : 7%
Energy/Utillities : 8%
Entertainment/Media : 8%
Healthcare : 9%
Manufacturing : 9%
Banking/Finance/Insurance : 14%
Technology : 25%
Technology : 25%
Banking/Finance/Insurance : 14%
Manufacturing : 9%
Healthcare : 9%
Entertainment/Media : 8%
Energy/Utillities : 8%
Telecommunications : 7%
Business Services : 6%
Retail : 6%
Logistics/Transportation : 5%
Other : 3%
913년 7월 3일 수요일
10. [According to IBM X-Force Research and Development]
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Vulnerability Disclosure Growth by Year
Vulnerability disclosure growth by year
1013년 7월 3일 수요일
11. Why we must find vulnerability
Attacks used 0-day are difficult to detect and the extent of the
damage is huge
We discovered vulnerability in advance and there are the best
solutions which vulnerability is patched
Give me the money ( in Pwn2Own 2013)
Google Chrome on Windows7 ($100,000)
Microsoft Internet Explorer
IE 10 on Windows8 ($100,000) or IE 9 on Windows7 ($75,000)
To be hacker, most of them can find vulnerability on all platform, that
is the starting point of hacking
1113년 7월 3일 수요일
13. What knowledge will help you ?
Language
ASM / C / C++ / Python / Perl
Types of Vulnerability
Buffer Overflow (Stack,Heap,Integer)
Null Pointer Dereference
Format String Bug
Use After Free
Etc
1313년 7월 3일 수요일
14. What experience will help you ?
Vulnerability Analysis
Non-CVE Vulnerability Analysis
CVE-XXXX-XXXX Vulnerability Analysis
1413년 7월 3일 수요일
16. Think and Act like a hacker
There is no perfection in
software that’s because they
are made by Human.
so the vulnerability exists
Check from a small part
Do not greedy, take step by step
if i can’t find vulnerability,
that is my fault.
1613년 7월 3일 수요일
17. Superficial Analysis
on The Target
How to find vulnerability
Internal Analysis
on The Target
Occurs Crash
Exploitation /
Weaponizing
1713년 7월 3일 수요일
20. Phase2. Internal Analysis on The Target
Although there are vary approaches. many hackers are using some
popular ones such as SA, Reverse Engineering, Fuzzing
SA
(Source Code Auditing)
Reverse Engineering
Fuzzing
2013년 7월 3일 수요일
21. Source Code Auditing
If you have Source code, you can find Vulnerability
This is the powerful approach
Applied in many places
2113년 7월 3일 수요일
22. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2213년 7월 3일 수요일
23. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2313년 7월 3일 수요일
24. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2413년 7월 3일 수요일
25. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2513년 7월 3일 수요일
26. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2613년 7월 3일 수요일
27. How to analyze source code
From user interface
Can be accessed
Can be manipulated
Common vulnerability
Buffer Overflow (Stack / Heap / Integer)
Format string
Using an automatic analysis tools
RAT, ITS4, FindBugs, Flawfinder, Splint
Code Analysis
Accessible entry point from User interface
Common vulnerability
2713년 7월 3일 수요일
28. Stack Buffer Overflow in Source Code
Fixed buffer
(ex. buffer[4096] or buffer[define buffer_size] )
In source code, find dangerous function( )
like a strcpy( ), sprintf( ).
mostly used be mapped like abc_strcpy( )
Sometimes buffer overflow is caused
by termination conditions in the loop
Beer
Over
Flow
2813년 7월 3일 수요일
29. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
2913년 7월 3일 수요일
30. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step1. search accessible entry points
Program Name
Accessible
Entry Point
File Type File Format
VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc
Audio a52 / aac / ac3 / adt / adts / etc
Play list m3u / wpl / ram / pls / gvp / etc
URL mms / rtmp / rtp / rtsp / smb / etc
3013년 7월 3일 수요일
31. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step1. search accessible entry points
Program Name
Accessible
Entry Point
File Type File Format
VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc
Audio a52 / aac / ac3 / adt / adts / etc
Play list m3u / wpl / ram / pls / gvp / etc
URL mms / rtmp / rtp / rtsp / smb / etc
Occurs Stack Based Buffer Overflow
3113년 7월 3일 수요일
32. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step2. find source code about accessible entry point
h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$ find ./ |grep "mms"
.//contrib/src/src/goom/goom2k4-xmmslibdir.patch
.//modules/access/mms
.//modules/access/mms/asf.c
.//modules/access/mms/asf.h
.//modules/access/mms/buffer.c
.//modules/access/mms/buffer.h
.//modules/access/mms/Makefile.am
.//modules/access/mms/Makefile.in
.//modules/access/mms/mms.c
.//modules/access/mms/mms.h
.//modules/access/mms/mmsh.c
.//modules/access/mms/mmsh.h
.//modules/access/mms/mmstu.c
.//modules/access/mms/mmstu.h
.//modules/access/mms/Modules.am
h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$
search accessible entry point
you can find source code about entry point
3213년 7월 3일 수요일
33. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-1. check dangerous method (eg. strcpy, sprintf, etc)
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf"
grep: ./: Is a directory
.//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username,
.//mmstu.c:535: sprintf( tmp,
.//mmstu.c:592: sprintf( tmp,
.//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" );
h2spice-ui-MacBook-Pro:mms h2spice$
search dangerous method
3313년 7월 3일 수요일
34. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-1. check dangerous method (eg. strcpy, sprintf, etc)
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf"
grep: ./: Is a directory
.//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username,
.//mmstu.c:535: sprintf( tmp,
.//mmstu.c:592: sprintf( tmp,
.//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" );
h2spice-ui-MacBook-Pro:mms h2spice$
as a result, able to find code that
used dangerous method
3413년 7월 3일 수요일
35. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-2. simple check via automatic tools (RAT, etc)
C:Documents and SettingsAdministratorDesktoprats-2.3-win32rats-2.3>rats.exe
mmstu.c
Analyzing mmstu.c
mmstu.c:459: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
mmstu.c:535: High: sprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.
mmstu.c:535: High: sprintf
mmstu.c:592: High: sprintf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle. Additionally, the format
string could contain `%s' without precision that could result in a buffer
overflow.
3513년 7월 3일 수요일
36. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step4. Analyze source code in detail
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
Static Buffer was Allocated
3613년 7월 3일 수요일
37. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
request packet was copied
into tmp[4096] buffer
Step4. Analyze source code in detail
3713년 7월 3일 수요일
38. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
if valid request packet
receives, buffer
overflow doesn.t occur
NSPlayer 7.0.0.195
6; {“user”};
Host:www.h2spice.
net
Step4. Analyze source code in detail
3813년 7월 3일 수요일
39. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
but if invalid request
packet receives, buffer
overflow occurs
NSPlayer 7.0.0.195
6; {“user”}; Host:AA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
Step4. Analyze source code in detail
3913년 7월 3일 수요일
40. Heap Buffer Overflow in Source Code
h2spice-ui-MacBook-Pro:rtsp h2spice$ find ./ |xargs grep -n "malloc"
grep: ./: Is a directory
.//access.c:168: p_access->p_sys = p_sys = malloc( sizeof( access_sys_t ) );
.//access.c:171: p_sys->p_rtsp = malloc( sizeof( rtsp_client_t) );
.//real.c:433: buf= (char *)malloc(2048);
.//real.c:611: char *buf = malloc(256);
.//real.c:666: description = malloc(size+1);
.//real.c:675: subscribe = malloc(256);
.//real_asmrp.c:93: p = malloc (sizeof (asmrp_t));
.//real_rmff.c:384: mdpr->type_specific_data = malloc(type_specific_len);
.//real_sdpplin.c:70: buf = malloc( BUFLEN );
.//real_sdpplin.c:74: decoded = malloc( BUFLEN );
.//real_sdpplin.c:146: desc->mlti_data = malloc(desc->mlti_data_size);
.//real_sdpplin.c:193: buf = malloc( BUFLEN );
.//real_sdpplin.c:200: decoded = malloc( BUFLEN );
.//real_sdpplin.c:262: desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
.//rtsp.c:505: s->host = malloc(hostend+1);
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
search method
for memory allocation
as a result, you are able to find
the code that used method for
memory allocation
4013년 7월 3일 수요일
41. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4113년 7월 3일 수요일
42. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4213년 7월 3일 수요일
43. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4313년 7월 3일 수요일
44. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4413년 7월 3일 수요일
45. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
if equal ?
check
the other malloc( )
and memcpy( )
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4513년 7월 3일 수요일
46. httpdx 1.5.4 Heap Overflow
Step1. Search malloc( ) or memcpy( )
h2spice-ui-MacBook-Pro:httpdx_src h2spice$ find ./ |xargs grep -n "malloc"
grep: ./: Is a directory
.//daemon.cpp:100: //d = (char*)malloc(_size);
.//daemon.cpp:191: //mimes = (dblstr_t*)malloc(vc+1);//+1: space for httpdx command virtual file extension
.//daemon.cpp:204: mimes = (dblstr_t*)malloc((vc+1)*sizeof(dblstr_t));//+1: space for httpdx command virtual file extension
.//ftp.cpp:122: client->transfers[client->transfers_c].d = (char*)malloc(1);
.//http.cpp:250: client->d = (char*)malloc(strlen(p[0])+1);
.//http.cpp:357: client->d = (char*)malloc(strlen(p[0])+1);
.//http.cpp:467: client->d = (char*)malloc(client->ds);
.//http.cpp:661: client->pd = (char*)malloc(client->cl+1);
.//script.cpp:233: //nodes[*ns].str = (char*)malloc(el+1);
.//script.cpp:246: //nodes[*ns].str = (char*)malloc(el+1);
.//script.cpp:264: //nodes[*ns].str = (char*)malloc(el+1);
h2spice-ui-MacBook-Pro:httpdx_src h2spice$
search method
for memory allocation
as a result, able to find code
that used method for memory
allocation
4613년 7월 3일 수요일
47. Step2. Compare the allocated memory size to the copied data size
int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
4713년 7월 3일 수요일
48. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
4813년 7월 3일 수요일
49. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
4913년 7월 3일 수요일
50. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
5013년 7월 3일 수요일
51. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
if it’s not equal ,
carry out
a detailed analysis
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5113년 7월 3일 수요일
52. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
Source Path Structure Name Variable Type Variable Name Detail Info
source/include/http.h phclient_t int socket socket to communicate
char host[256] What host client used
char * pd
post-data: size is allocated with
"Content-Length"
size_t pds post-data size
int cl content-length
char req[4096] request buffer
int rs request size (by received packet)
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5213년 7월 3일 수요일
53. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
Source Path Structure Name Variable Type Variable Name Detail Info
source/include/http.h phclient_t int socket socket to communicate
char host[256] What host client used
char * pd
post-data: size is allocated with
"Content-Length"
size_t pds post-data size
int cl content-length
char req[4096] request buffer
int rs request size (by received packet)
content-length
request size (by received packet)
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5313년 7월 3일 수요일
54. generate
a malformed
packet
send
a packet to
the server
POST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
heap based
buffer[101]
Other Space
Other Space
httpdx 1.5.4 Heap Overflow
Step3. if it is not equal, carry out a detailed analysis
dynamic buffer was allocated
5413년 7월 3일 수요일
55. generate
a malformed
packet
send
a packet to
the server
heap based
buffer[101]
Other Space
Other Space
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
POST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
POST/index.ht
ml HTTP/1.0
Content-Length
:100 Content-
Type :text Host:
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
request packet was copied
into buffer
5513년 7월 3일 수요일
56. heap based
buffer[101]
Other Space
Other Space
POST/index.ht
ml HTTP/1.0
Content-Length
:100 Content-
Type :text Host:
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
generate
a malformed
packet
send
a packet to
the server
if content-length is smaller than
requset packet size, buffer
overflow was occurredPOST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
5613년 7월 3일 수요일
57. Integer Buffer Overflow in Source Code
0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0
0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0
1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0
20000
30000
-15536
+
it occurs when the operation result stored is bigger than permissible range
it occurs when the operation result stored is smaller than permaissible range
it occurs in the operation process
difficulty in detecting, so massive code analysis is needed
it is a negative number since it is interpreted as a sign bit
5713년 7월 3일 수요일
58. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
5813년 7월 3일 수요일
59. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
declare variable
(signed/unsigned type,
static buffer)
5913년 7월 3일 수요일
60. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
get size of user input data
and then, print size
6013년 7월 3일 수요일
61. Example of Integer Buffer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
check size of user input data
(code to prevent buffer overflow)
6113년 7월 3일 수요일
62. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow copy user input data to buffer
and then print user input data
6213년 7월 3일 수요일
63. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
if variable signed type stored in big
data, will occur integing overflow
6313년 7월 3일 수요일
64. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
because type2 it has been set
negative number, to bypass code that
prevent buffer overflow
6413년 7월 3일 수요일
65. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
as a result, occur stack buffer overflow
6513년 7월 3일 수요일
67. nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step1. Collect information about variable
Source Path Structure Name Function Name Variable Type Variable Name Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
ngx_uint_t state
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
off_t size signed type
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
off_t length signed type
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
size_t size unsigned type
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
u_char buffer [4096] fixed buffer
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h
ngx_http_request_s none
ngx_http_header_in_t headers_in struct pointer
src/http/
ngx_http_request.h
ngx_http_request_s none ngx_http_header_out_t headers_out struct pointer
src/http/
ngx_http_request.h
ngx_http_request_s none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h ngx_http_header_in_t none
off_t content_length_n signed type
src/http/
ngx_http_request.h ngx_http_header_in_t none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h
ngx_http_header_out_t none
off_t content_length_n signed type
src/http/
ngx_http_request.h
ngx_http_header_out_t none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
6713년 7월 3일 수요일
68. Step2. Step by step, analyze source code
static ngx_int_t
ngx_http_static_handler(ngx_http_request_t *r)
{
u_char *last, *location;
size_t root, len;
ngx_str_t path;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->method & NGX_HTTP_POST) {
return NGX_HTTP_NOT_ALLOWED;
}
rc = ngx_http_discard_request_body(r);
if (rc != NGX_OK) {
return rc;
}
log->action = "sending response to client";
r->headers_out.status = NGX_HTTP_OK;
r->headers_out.content_length_n = of.size;
r->headers_out.last_modified_time = of.mtime;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/modules/ngx_http_static_module.c ]
ngx_http_discard_request_body( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
6813년 7월 3일 수요일
69. ngx_int_t
ngx_http_discard_request_body(ngx_http_request_t *r)
{
ssize_t size;
ngx_int_t rc;
ngx_event_t *rev;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/ngx_http_request_body.c ]
Check chunked data
in the header
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
6913년 7월 3일 수요일
70. ngx_int_t
ngx_http_discard_request_body(ngx_http_request_t *r)
{
ssize_t size;
ngx_int_t rc;
ngx_event_t *rev;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/ngx_http_request_body.c ]
ngx_http_discard_request_body_filter( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7013년 7월 3일 수요일
71. ngx_http_parse_chunked( )
was called
static ngx_int_t
ngx_http_discard_request_body_filter(ngx_http_request_t *r, ngx_buf_t *b)
{
size_t size;
ngx_int_t rc;
ngx_http_request_body_t *rb;
if (r->headers_in.chunked) {
rb = r->request_body;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for ( ;; ) {
rc = ngx_http_parse_chunked(r, b, rb->chunked);
if (rc == NGX_OK) {
/* a chunk has been parsed successfully */
size = b->last - b->pos;
if ((off_t) size > rb->chunked->size) {
b->pos += rb->chunked->size;
rb->chunked->size = 0;
} else {
rb->chunked->size -= size;
b->pos = b->last;
}
continue;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
that exists integer overflow
vulnerability
7113년 7월 3일 수요일
72. ngx_int_t
ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
ngx_http_chunked_t *ctx)
{
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for (pos = b->pos; pos < b->last; pos++) {
ch = *pos;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
switch (state) {
case sw_chunk_start:
if (ch >= '0' && ch <= '9') {
state = sw_chunk_size;
ctx->size = ch - '0';
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
state = sw_chunk_size;
ctx->size = c - 'a' + 10;
break;
}
goto invalid;
case sw_chunk_size:
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
ctx->size = ctx->size * 16 + (c - 'a' + 10);
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if ctx->size stored high number,
occurs integer overflow
by (ctx->size = ctx->size * 16 + @)
Source Path Structure Name
Function
Name
Variable
Type
Variable
Name
Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none ngx_uint_t state
off_t size signed type
off_t length signed type
so ctx->size can be misinterpreted
as negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7213년 7월 3일 수요일
73. switch (state) {
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
case sw_chunk_size:
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
ctx->size = ctx->size * 16 + (c - 'a' + 10);
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
data:
ctx->state = state;
b->pos = pos;
switch (state) {
case sw_chunk_start:
ctx->length = 3 /* "0" LF LF */;
break;
case sw_chunk_size:
ctx->length = 2 /* LF LF */
+ (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0);
break;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
and then ctx->length was stored
negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
Source Path Structure Name
Variable
Type
Variable
Name
Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
ngx_uint_t state
off_t size signed type
off_t length signed type
7313년 7월 3일 수요일
74. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for ( ;; ) {
rc = ngx_http_parse_chunked(r, b, rb->chunked);
if (rc == NGX_OK) {
/* a chunk has been parsed successfully */
/*~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
continue;
}
if (rc == NGX_DONE) {
/* a whole response has been parsed successfully */
r->headers_in.content_length_n = 0;
break;
}
if (rc == NGX_AGAIN) {
/* set amount of data we want to see next time */
r->headers_in.content_length_n = rb->chunked->length;
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
r->headers.in.content_length_n
was stored negative number
Source Path Structure Name
Variable
Type
Variable Name
Detail
Info
src/http/
ngx_http_request.h
ngx_http_header_in_t off_t content_length_n
signed
type
ngx_http_header_out_t off_t content_length_n
signed
type
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7413년 7월 3일 수요일
75. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
rc = ngx_http_read_discarded_request_body(r);
if (rc == NGX_OK) {
r->lingering_close = 0;
return NGX_OK;
}
if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
return rc;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
ngx_http_read_discarded_request_body( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
that exists stack based overflow vulnerability
7513년 7월 3일 수요일
76. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
#define ngx_min(val1, val2)
((val1 > val2) ? (val2) : (val1))
Already, r->header_in.content_length
has been set negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
as a result, able to bypass code that
prevent buffer overflow
7613년 7월 3일 수요일
77. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
buffer[4096]
EBP
EIP
chunked data was copied
into buffer
7713년 7월 3일 수요일
78. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
buffer[4096]
EBP
EIP
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
if chunked data is bigger than
4096 bytes, occurs stack
buffer overflow
7813년 7월 3일 수요일
80. Reverse Engineering
Some software codes have a large range that can not be imagined
; ridiculous but possible
It’s hard to find vulnerability with reverse engineering and dynamic
analysis. but can find unique bugs which fuzzer won’t find
usually
Be specific with the big picture first
Call graphs / System calls / Associated Data
Then dive into smaller parts
Recognize well-known routines
eg. crypto(RC4, RSA, etc), memcpy, strcpy, etc
8013년 7월 3일 수요일
84. Can be reduced the amount of code by using a script.
#include <stdio.h>
void code1(void)
{
! printf("code1n");
}
void code2(void)
{
! printf("code2n");
}
void main(void)
{
! printf("hello worldn");
! code1();
! code2();
}
Call flow
Debugging with script
8413년 7월 3일 수요일
88. Fuzzing
Throw random bits at the program, and see if it handles them
Popular robust testing mechanism for software
Fast and Effective
Easy to implement
Two type of Fuzzing
Dumb Fuzzing
Smart Fuzzing
8813년 7월 3일 수요일
93. Specific Target through Fuzzing
File Format (File Fuzzing)
Network Protocol (Network Fuzzing)
ActiveX (ActiveX Fuzzing)
Browser (Browser Fuzzing)
Etc
9313년 7월 3일 수요일
94. Type of Fuzzing - Dumb Fuzzing
Dumb Fuzzing
Based on mutation
Little or no knowledge for the structure of the inputs is assumed
Most of the input data are invalid
Anomalies may be completely random or follow some heuristics
Anomalies are added to existing valid inputs
Example
ex) m3u, pls, asx, etc
9413년 7월 3일 수요일
95. Dumb fuzzing sample
File Format
[AAAAAAA....AAAA]
[normal data] + [AAAAAAA....AAAA]
[header] + [AAAAAAA....AAAA] + [eof]
Mutated normal file
Network Protocol
GET /AAAAAAA....AAAA.html HTTP/1.1
AAAAAAA....AAAA /indext.html HTTP/1.1
GET /index.html HTTTTTTTTTTTTTTTP/1.1
9513년 7월 3일 수요일
96. Type of Fuzzing - Smart Fuzzing
Smart Fuzzing
Based on generation
Knowledge for the structure of the inputs is needed
Test cases are generated from some description of the format
RFC, Documents
Consideration of data structure such as offset , checksum
9613년 7월 3일 수요일
97. Smart fuzzing sample
File Format
Consideration of data structure or relations
Variety of attack vectors
length, offset, object, etc
Use 010 binary editor template
free binary templates
(*.bmp , *.zip , *wav)
int int int flag
int length stringstring int length
datadatadatadata
int int intint
datadatadatadata
9713년 7월 3일 수요일
98. Smart fuzzing sample
POST index.html HTTP/ 1.1HTTP/ 1.1
Content-TypeContent-Type
application/x-www-
form-urlencoded
application/x-www-
form-urlencoded
Accept-EncodingAccept-Encoding gzip deflate
User-AgentUser-Agent Mozilla/ 4.0
Content-LengthContent-LengthContent-Length 100
HOSTHOST localhost :8080
Network Protocol
Consideration of data structure or relations
Variety of attack vectors
host, content-length, etc
9813년 7월 3일 수요일
99. Smart fuzzing sample
Active X
Parameter extraction
Input data to parameter
big data, invalid data, etc
Generate HTML Document
classID parameter value
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
A String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
B String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
C String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
D Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
E Integer{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE} F String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
G Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
H Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
I String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
J String
9913년 7월 3일 수요일
100. Smart fuzzing sample
Browser
Take W3C specification
Group together (methods / attributes / properties)
Replace input values with getRandomValue( )
<html>
<head>
<script>
var gl = document.createElement("canvas").getContext('experimental-webgl')
var texture = gl.createTexture()
gl.bindTexture(gl.TEXTURE_2D, texture)
gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0, gl.RGBA, gl.UNSIGNED_BYTE, null)
gl.texSubImage2D(gl.TEXTURE_2D, 0, 0, 0x7fffff00, 256, 256, gl.RGBA, gl.UNSIGNED_BYTE, new
Uint8Array(256 * 256 * 4))
</script>
</head>
</html>
CVE-2012-2896
10013년 7월 3일 수요일
101. Phase 3. Crash
5 Type of Crash
Read Access Violation near NULL
Read Access Violation not near NULL
Write Access Violation near NULL
Write Access Violation not near NULL
Unknown
10113년 7월 3일 수요일
102. What is Exploitable Crash ?
mov eax,dword ptr [esi+0Ch]
mov eax,dword ptr [ecx]
mov edx,dword ptr [eax+5Ch]
call edx
10213년 7월 3일 수요일