How to find_vulnerability_in_software in the Secuinside2013

1. How to find vulnerability in software ?
documented by h2spice
h2spice@gmail.com
113년 7월 3일 수요일

2. h2spice.net/secuinside2013_h2spice/
213년 7월 3일 수요일

3. Who am I
Sanghwan,Ahn (h2spice)
Security Researcher in Team (NSHC.Inc)
Vulnerability/Malware Analysis , Hunting Bug , Mobile Security
313년 7월 3일 수요일

4. Agenda
Introduction about Vulnerability
What is The Vulnerability
How to Use Vulnerabilities
The Reason we must find vulnerabilities
Before finding vulnerability, things we should know
What knowledge will help you
What experience will help you
Think and Act like a hacker
413년 7월 3일 수요일

5. Agenda
How can we find vulnerability ?
Superficial analysis on the target
Internal analysis on the target
Occurs Crash
Demonstration
ActiveX module on Banking / Financial
Conclusion
513년 7월 3일 수요일

6. Introduction. Vulnerability
613년 7월 3일 수요일

7. What is The Vulnerability
in a narrow perspective
Weakness, Flaw from hardware, software of computer
Loopholes in the system , in the design
Allows an attacker to reduce system’s information assurance
(eg. execution of arbitrary code , bypass security mitigation)
in a broad perspective
refers to all of the information security risks ,including user and
administrator’s negligence or by social engineering weaknesses
713년 7월 3일 수요일

8. Financial benefits
Information stealing
APT (Advanced Persistent Threat)
PDF, HWP, MSWord Vulnerability
3.20 Korean Terrorism
Random Target Attack
Via Web Browser Vulnerability
Making Zombie
How to use the vulnerability
[Refer to FireEye’s Next-Generation Threats]
813년 7월 3일 수요일

9. Percentage of Total Infections
[According to FireEye Cyber Attack Landscape]
Other : 3%
Logistics/Transportation : 5%
Retail : 6%
Business Services : 6%
Telecommunications : 7%
Energy/Utillities : 8%
Entertainment/Media : 8%
Healthcare : 9%
Manufacturing : 9%
Banking/Finance/Insurance : 14%
Technology : 25%
Technology : 25%
Banking/Finance/Insurance : 14%
Manufacturing : 9%
Healthcare : 9%
Entertainment/Media : 8%
Energy/Utillities : 8%
Telecommunications : 7%
Business Services : 6%
Retail : 6%
Logistics/Transportation : 5%
Other : 3%
913년 7월 3일 수요일

10. [According to IBM X-Force Research and Development]
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Vulnerability Disclosure Growth by Year
Vulnerability disclosure growth by year
1013년 7월 3일 수요일

11. Why we must find vulnerability
Attacks used 0-day are difficult to detect and the extent of the
damage is huge
We discovered vulnerability in advance and there are the best
solutions which vulnerability is patched
Give me the money ( in Pwn2Own 2013)
Google Chrome on Windows7 ($100,000)
Microsoft Internet Explorer
IE 10 on Windows8 ($100,000) or IE 9 on Windows7 ($75,000)
To be hacker, most of them can find vulnerability on all platform, that
is the starting point of hacking
1113년 7월 3일 수요일

12. Before finding vulnerability,
Things we should know
1213년 7월 3일 수요일

13. What knowledge will help you ?
Language
ASM / C / C++ / Python / Perl
Types of Vulnerability
Buffer Overflow (Stack,Heap,Integer)
Null Pointer Dereference
Format String Bug
Use After Free
Etc
1313년 7월 3일 수요일

14. What experience will help you ?
Vulnerability Analysis
Non-CVE Vulnerability Analysis
CVE-XXXX-XXXX Vulnerability Analysis
1413년 7월 3일 수요일

15. Techniques & Tools
Static Analysis
IDA
Dynamic Analysis
IDA, Immunity DBG, OllyDBG, WinDBG
Bypass security mitigation
DEP, NX-bit, ASLR, ASCII-Armor, Stack Canary, Sandbox, Etc
Exploitation
Overwriting SEH, RTL, ROP, Egg Hunting, Heap Spraying, Etc
1513년 7월 3일 수요일

16. Think and Act like a hacker
There is no perfection in
software that’s because they
are made by Human.
so the vulnerability exists
Check from a small part
Do not greedy, take step by step
if i can’t find vulnerability,
that is my fault.
1613년 7월 3일 수요일

17. Superficial Analysis
on The Target
How to find vulnerability
Internal Analysis
on The Target
Occurs Crash
Exploitation /
Weaponizing
1713년 7월 3일 수요일

18. Environment
Data
User Input
Data
File Data
Receive
Data
Local
Remote
LibraryLoading
Parsing
A
Program
Accessible entry point
The Entry point is considered to have potential vulnerability
Phase1. Superficial Analysis on The Target
1813년 7월 3일 수요일

19. Environment
Data
User Input
Data
File Data
Receive
Data
Local
Remote
LibraryLoading
Parsing
A
Program
Accessible entry point
Entry point that potentially exist vulnerability
Phase1. Superficial Analysis on The Target
[+] Buffer Overflow
[-] Based Stack Overflow
[-] Based Heap Overflow
[-] Integer Overflow
[-] Format string Bug
[-] Null Pointer Dereference
[-] Use after Free
[+] Etc
[+] DLL Hijacking
1913년 7월 3일 수요일

20. Phase2. Internal Analysis on The Target
Although there are vary approaches. many hackers are using some
popular ones such as SA, Reverse Engineering, Fuzzing
SA
(Source Code Auditing)
Reverse Engineering
Fuzzing
2013년 7월 3일 수요일

21. Source Code Auditing
If you have Source code, you can find Vulnerability
This is the powerful approach
Applied in many places
2113년 7월 3일 수요일

22. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2213년 7월 3일 수요일

23. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2313년 7월 3일 수요일

24. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2413년 7월 3일 수요일

25. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2513년 7월 3일 수요일

26. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2613년 7월 3일 수요일

27. How to analyze source code
From user interface
Can be accessed
Can be manipulated
Common vulnerability
Buffer Overflow (Stack / Heap / Integer)
Format string
Using an automatic analysis tools
RAT, ITS4, FindBugs, Flawfinder, Splint
Code Analysis
Accessible entry point from User interface
Common vulnerability
2713년 7월 3일 수요일

28. Stack Buffer Overflow in Source Code
Fixed buffer
(ex. buffer[4096] or buffer[define buffer_size] )
In source code, find dangerous function( )
like a strcpy( ), sprintf( ).
mostly used be mapped like abc_strcpy( )
Sometimes buffer overflow is caused
by termination conditions in the loop
Beer
Over
Flow
2813년 7월 3일 수요일

29. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
2913년 7월 3일 수요일

30. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step1. search accessible entry points
Program Name
Accessible
Entry Point
File Type File Format
VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc
Audio a52 / aac / ac3 / adt / adts / etc
Play list m3u / wpl / ram / pls / gvp / etc
URL mms / rtmp / rtp / rtsp / smb / etc
3013년 7월 3일 수요일

31. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step1. search accessible entry points
Program Name
Accessible
Entry Point
File Type File Format
VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc
Audio a52 / aac / ac3 / adt / adts / etc
Play list m3u / wpl / ram / pls / gvp / etc
URL mms / rtmp / rtp / rtsp / smb / etc
Occurs Stack Based Buffer Overflow
3113년 7월 3일 수요일

32. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step2. find source code about accessible entry point
h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$ find ./ |grep "mms"
.//contrib/src/src/goom/goom2k4-xmmslibdir.patch
.//modules/access/mms
.//modules/access/mms/asf.c
.//modules/access/mms/asf.h
.//modules/access/mms/buffer.c
.//modules/access/mms/buffer.h
.//modules/access/mms/Makefile.am
.//modules/access/mms/Makefile.in
.//modules/access/mms/mms.c
.//modules/access/mms/mms.h
.//modules/access/mms/mmsh.c
.//modules/access/mms/mmsh.h
.//modules/access/mms/mmstu.c
.//modules/access/mms/mmstu.h
.//modules/access/mms/Modules.am
h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$
search accessible entry point
you can find source code about entry point
3213년 7월 3일 수요일

33. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-1. check dangerous method (eg. strcpy, sprintf, etc)
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf"
grep: ./: Is a directory
.//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username,
.//mmstu.c:535: sprintf( tmp,
.//mmstu.c:592: sprintf( tmp,
.//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" );
h2spice-ui-MacBook-Pro:mms h2spice$
search dangerous method
3313년 7월 3일 수요일

34. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-1. check dangerous method (eg. strcpy, sprintf, etc)
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf"
grep: ./: Is a directory
.//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username,
.//mmstu.c:535: sprintf( tmp,
.//mmstu.c:592: sprintf( tmp,
.//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" );
h2spice-ui-MacBook-Pro:mms h2spice$
as a result, able to find code that
used dangerous method
3413년 7월 3일 수요일

35. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-2. simple check via automatic tools (RAT, etc)
C:Documents and SettingsAdministratorDesktoprats-2.3-win32rats-2.3>rats.exe
mmstu.c
Analyzing mmstu.c
mmstu.c:459: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
mmstu.c:535: High: sprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.
mmstu.c:535: High: sprintf
mmstu.c:592: High: sprintf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle. Additionally, the format
string could contain `%s' without precision that could result in a buffer
overflow.
3513년 7월 3일 수요일

36. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step4. Analyze source code in detail
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
Static Buffer was Allocated
3613년 7월 3일 수요일

37. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
request packet was copied
into tmp[4096] buffer
Step4. Analyze source code in detail
3713년 7월 3일 수요일

38. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
if valid request packet
receives, buffer
overflow doesn.t occur
NSPlayer 7.0.0.195
6; {“user”};
Host:www.h2spice.
net
Step4. Analyze source code in detail
3813년 7월 3일 수요일

39. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
but if invalid request
packet receives, buffer
overflow occurs
NSPlayer 7.0.0.195
6; {“user”}; Host:AA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
Step4. Analyze source code in detail
3913년 7월 3일 수요일

40. Heap Buffer Overflow in Source Code
h2spice-ui-MacBook-Pro:rtsp h2spice$ find ./ |xargs grep -n "malloc"
grep: ./: Is a directory
.//access.c:168: p_access->p_sys = p_sys = malloc( sizeof( access_sys_t ) );
.//access.c:171: p_sys->p_rtsp = malloc( sizeof( rtsp_client_t) );
.//real.c:433: buf= (char *)malloc(2048);
.//real.c:611: char *buf = malloc(256);
.//real.c:666: description = malloc(size+1);
.//real.c:675: subscribe = malloc(256);
.//real_asmrp.c:93: p = malloc (sizeof (asmrp_t));
.//real_rmff.c:384: mdpr->type_specific_data = malloc(type_specific_len);
.//real_sdpplin.c:70: buf = malloc( BUFLEN );
.//real_sdpplin.c:74: decoded = malloc( BUFLEN );
.//real_sdpplin.c:146: desc->mlti_data = malloc(desc->mlti_data_size);
.//real_sdpplin.c:193: buf = malloc( BUFLEN );
.//real_sdpplin.c:200: decoded = malloc( BUFLEN );
.//real_sdpplin.c:262: desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
.//rtsp.c:505: s->host = malloc(hostend+1);
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
search method
for memory allocation
as a result, you are able to find
the code that used method for
memory allocation
4013년 7월 3일 수요일

41. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4113년 7월 3일 수요일

42. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4213년 7월 3일 수요일

43. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4313년 7월 3일 수요일

44. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4413년 7월 3일 수요일

45. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
if equal ?
check
the other malloc( )
and memcpy( )
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4513년 7월 3일 수요일

46. httpdx 1.5.4 Heap Overflow
Step1. Search malloc( ) or memcpy( )
h2spice-ui-MacBook-Pro:httpdx_src h2spice$ find ./ |xargs grep -n "malloc"
grep: ./: Is a directory
.//daemon.cpp:100: //d = (char*)malloc(_size);
.//daemon.cpp:191: //mimes = (dblstr_t*)malloc(vc+1);//+1: space for httpdx command virtual file extension
.//daemon.cpp:204: mimes = (dblstr_t*)malloc((vc+1)*sizeof(dblstr_t));//+1: space for httpdx command virtual file extension
.//ftp.cpp:122: client->transfers[client->transfers_c].d = (char*)malloc(1);
.//http.cpp:250: client->d = (char*)malloc(strlen(p[0])+1);
.//http.cpp:357: client->d = (char*)malloc(strlen(p[0])+1);
.//http.cpp:467: client->d = (char*)malloc(client->ds);
.//http.cpp:661: client->pd = (char*)malloc(client->cl+1);
.//script.cpp:233: //nodes[*ns].str = (char*)malloc(el+1);
.//script.cpp:246: //nodes[*ns].str = (char*)malloc(el+1);
.//script.cpp:264: //nodes[*ns].str = (char*)malloc(el+1);
h2spice-ui-MacBook-Pro:httpdx_src h2spice$
search method
for memory allocation
as a result, able to find code
that used method for memory
allocation
4613년 7월 3일 수요일

47. Step2. Compare the allocated memory size to the copied data size
int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
4713년 7월 3일 수요일

48. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
4813년 7월 3일 수요일

49. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
4913년 7월 3일 수요일

50. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
5013년 7월 3일 수요일

51. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
if it’s not equal ,
carry out
a detailed analysis
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5113년 7월 3일 수요일

52. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
Source Path Structure Name Variable Type Variable Name Detail Info
source/include/http.h phclient_t int socket socket to communicate
char host[256] What host client used
char * pd
post-data: size is allocated with
"Content-Length"
size_t pds post-data size
int cl content-length
char req[4096] request buffer
int rs request size (by received packet)
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5213년 7월 3일 수요일

53. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
Source Path Structure Name Variable Type Variable Name Detail Info
source/include/http.h phclient_t int socket socket to communicate
char host[256] What host client used
char * pd
post-data: size is allocated with
"Content-Length"
size_t pds post-data size
int cl content-length
char req[4096] request buffer
int rs request size (by received packet)
content-length
request size (by received packet)
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5313년 7월 3일 수요일

54. generate
a malformed
packet
send
a packet to
the server
POST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
heap based
buffer[101]
Other Space
Other Space
httpdx 1.5.4 Heap Overflow
Step3. if it is not equal, carry out a detailed analysis
dynamic buffer was allocated
5413년 7월 3일 수요일

55. generate
a malformed
packet
send
a packet to
the server
heap based
buffer[101]
Other Space
Other Space
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
POST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
POST/index.ht
ml HTTP/1.0
Content-Length
:100 Content-
Type :text Host:
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
request packet was copied
into buffer
5513년 7월 3일 수요일

56. heap based
buffer[101]
Other Space
Other Space
POST/index.ht
ml HTTP/1.0
Content-Length
:100 Content-
Type :text Host:
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
generate
a malformed
packet
send
a packet to
the server
if content-length is smaller than
requset packet size, buffer
overflow was occurredPOST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
5613년 7월 3일 수요일

57. Integer Buffer Overflow in Source Code
0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0
0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0
1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0
20000
30000
-15536
+
it occurs when the operation result stored is bigger than permissible range
it occurs when the operation result stored is smaller than permaissible range
it occurs in the operation process
difficulty in detecting, so massive code analysis is needed
it is a negative number since it is interpreted as a sign bit
5713년 7월 3일 수요일

58. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
5813년 7월 3일 수요일

59. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
declare variable
(signed/unsigned type,
static buffer)
5913년 7월 3일 수요일

60. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
get size of user input data
and then, print size
6013년 7월 3일 수요일

61. Example of Integer Buffer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
check size of user input data
(code to prevent buffer overflow)
6113년 7월 3일 수요일

62. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow copy user input data to buffer
and then print user input data
6213년 7월 3일 수요일

63. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
if variable signed type stored in big
data, will occur integing overflow
6313년 7월 3일 수요일

64. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
because type2 it has been set
negative number, to bypass code that
prevent buffer overflow
6413년 7월 3일 수요일

65. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
as a result, occur stack buffer overflow
6513년 7월 3일 수요일

66. nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
6613년 7월 3일 수요일

67. nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step1. Collect information about variable
Source Path Structure Name Function Name Variable Type Variable Name Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
ngx_uint_t state
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
off_t size signed type
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
off_t length signed type
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
size_t size unsigned type
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
u_char buffer [4096] fixed buffer
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h
ngx_http_request_s none
ngx_http_header_in_t headers_in struct pointer
src/http/
ngx_http_request.h
ngx_http_request_s none ngx_http_header_out_t headers_out struct pointer
src/http/
ngx_http_request.h
ngx_http_request_s none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h ngx_http_header_in_t none
off_t content_length_n signed type
src/http/
ngx_http_request.h ngx_http_header_in_t none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h
ngx_http_header_out_t none
off_t content_length_n signed type
src/http/
ngx_http_request.h
ngx_http_header_out_t none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
6713년 7월 3일 수요일

68. Step2. Step by step, analyze source code
static ngx_int_t
ngx_http_static_handler(ngx_http_request_t *r)
{
u_char *last, *location;
size_t root, len;
ngx_str_t path;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->method & NGX_HTTP_POST) {
return NGX_HTTP_NOT_ALLOWED;
}
rc = ngx_http_discard_request_body(r);
if (rc != NGX_OK) {
return rc;
}
log->action = "sending response to client";
r->headers_out.status = NGX_HTTP_OK;
r->headers_out.content_length_n = of.size;
r->headers_out.last_modified_time = of.mtime;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/modules/ngx_http_static_module.c ]
ngx_http_discard_request_body( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
6813년 7월 3일 수요일

69. ngx_int_t
ngx_http_discard_request_body(ngx_http_request_t *r)
{
ssize_t size;
ngx_int_t rc;
ngx_event_t *rev;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/ngx_http_request_body.c ]
Check chunked data
in the header
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
6913년 7월 3일 수요일

70. ngx_int_t
ngx_http_discard_request_body(ngx_http_request_t *r)
{
ssize_t size;
ngx_int_t rc;
ngx_event_t *rev;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/ngx_http_request_body.c ]
ngx_http_discard_request_body_filter( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7013년 7월 3일 수요일

71. ngx_http_parse_chunked( )
was called
static ngx_int_t
ngx_http_discard_request_body_filter(ngx_http_request_t *r, ngx_buf_t *b)
{
size_t size;
ngx_int_t rc;
ngx_http_request_body_t *rb;
if (r->headers_in.chunked) {
rb = r->request_body;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for ( ;; ) {
rc = ngx_http_parse_chunked(r, b, rb->chunked);
if (rc == NGX_OK) {
/* a chunk has been parsed successfully */
size = b->last - b->pos;
if ((off_t) size > rb->chunked->size) {
b->pos += rb->chunked->size;
rb->chunked->size = 0;
} else {
rb->chunked->size -= size;
b->pos = b->last;
}
continue;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
that exists integer overflow
vulnerability
7113년 7월 3일 수요일

72. ngx_int_t
ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
ngx_http_chunked_t *ctx)
{
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for (pos = b->pos; pos < b->last; pos++) {
ch = *pos;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
switch (state) {
case sw_chunk_start:
if (ch >= '0' && ch <= '9') {
state = sw_chunk_size;
ctx->size = ch - '0';
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
state = sw_chunk_size;
ctx->size = c - 'a' + 10;
break;
}
goto invalid;
case sw_chunk_size:
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
ctx->size = ctx->size * 16 + (c - 'a' + 10);
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if ctx->size stored high number,
occurs integer overflow
by (ctx->size = ctx->size * 16 + @)
Source Path Structure Name
Function
Name
Variable
Type
Variable
Name
Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none ngx_uint_t state
off_t size signed type
off_t length signed type
so ctx->size can be misinterpreted
as negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7213년 7월 3일 수요일

73. switch (state) {
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
case sw_chunk_size:
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
ctx->size = ctx->size * 16 + (c - 'a' + 10);
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
data:
ctx->state = state;
b->pos = pos;
switch (state) {
case sw_chunk_start:
ctx->length = 3 /* "0" LF LF */;
break;
case sw_chunk_size:
ctx->length = 2 /* LF LF */
+ (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0);
break;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
and then ctx->length was stored
negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
Source Path Structure Name
Variable
Type
Variable
Name
Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
ngx_uint_t state
off_t size signed type
off_t length signed type
7313년 7월 3일 수요일

74. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for ( ;; ) {
rc = ngx_http_parse_chunked(r, b, rb->chunked);
if (rc == NGX_OK) {
/* a chunk has been parsed successfully */
/*~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
continue;
}
if (rc == NGX_DONE) {
/* a whole response has been parsed successfully */
r->headers_in.content_length_n = 0;
break;
}
if (rc == NGX_AGAIN) {
/* set amount of data we want to see next time */
r->headers_in.content_length_n = rb->chunked->length;
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
r->headers.in.content_length_n
was stored negative number
Source Path Structure Name
Variable
Type
Variable Name
Detail
Info
src/http/
ngx_http_request.h
ngx_http_header_in_t off_t content_length_n
signed
type
ngx_http_header_out_t off_t content_length_n
signed
type
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7413년 7월 3일 수요일

75. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
rc = ngx_http_read_discarded_request_body(r);
if (rc == NGX_OK) {
r->lingering_close = 0;
return NGX_OK;
}
if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
return rc;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
ngx_http_read_discarded_request_body( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
that exists stack based overflow vulnerability
7513년 7월 3일 수요일

76. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
#define ngx_min(val1, val2)
((val1 > val2) ? (val2) : (val1))
Already, r->header_in.content_length
has been set negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
as a result, able to bypass code that
prevent buffer overflow
7613년 7월 3일 수요일

77. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
buffer[4096]
EBP
EIP
chunked data was copied
into buffer
7713년 7월 3일 수요일

78. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
buffer[4096]
EBP
EIP
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
if chunked data is bigger than
4096 bytes, occurs stack
buffer overflow
7813년 7월 3일 수요일

79. Reverse Engineering
7913년 7월 3일 수요일

80. Reverse Engineering
Some software codes have a large range that can not be imagined
; ridiculous but possible
It’s hard to find vulnerability with reverse engineering and dynamic
analysis. but can find unique bugs which fuzzer won’t find
usually
Be specific with the big picture first
Call graphs / System calls / Associated Data
Then dive into smaller parts
Recognize well-known routines
eg. crypto(RC4, RSA, etc), memcpy, strcpy, etc
8013년 7월 3일 수요일

81. Approach
method
Code
Auditing
Reverse
Engineering
Start Exploitation
Find
Vulnerability
Fuzzing
Step
Understand
Overall flow
Reverse Engineering FlowChart
Search
Entry Point
Check
Arguments
Function
Analysis
Check it whether
makes logical
problem or not ?
Y
N
8113년 7월 3일 수요일

82. Approach
method
Code
Auditing
Reverse
Engineering
Start Exploitation
Find
Vulnerability
Fuzzing
Step
Understand
Overall flow
Reverse Engineering FlowChart
Search
Entry Point
Check
Arguments
Function
Analysis
Check it whether
makes logical
problem or not ?
Y
N
8213년 7월 3일 수요일

83. Approach
method
Code
Auditing
Reverse
Engineering
Start Exploitation
Find
Vulnerability
Fuzzing
Step
Understand
Overall flow
Reverse Engineering FlowChart
Search
Entry Point
Check
Arguments
Function
Analysis
Check it whether
makes logical
problem or not ?
Y
N
8313년 7월 3일 수요일

84. Can be reduced the amount of code by using a script.
#include <stdio.h>
void code1(void)
{
! printf("code1n");
}
void code2(void)
{
! printf("code2n");
}
void main(void)
{
! printf("hello worldn");
! code1();
! code2();
}
Call flow
Debugging with script
8413년 7월 3일 수요일

85. #include <stdio.h>
void code1(void)
{
! printf("code1n");
}
void code2(void)
{
! printf("code2n");
}
void main(void)
{
! printf("hello worldn");
! code1();
! code2();
}
j_?code1@@YAXXZ call
?code1@@YAXXZ call
_printf call
__stbuf call
__isatty call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
__chkesp call
j_?code2@@YAXXZ call
?code2@@YAXXZ call
_printf call
__stbuf call
__isatty call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
__chkesp call
_main_0 call
_main call
_printf call
__stbuf call
__isatty call
__malloc_dbg call
__nh_malloc_dbg call
__heap_alloc_dbg call
__CrtDefaultAllocHook call
__heap_alloc_base call
_memset call
_memset call
_memset call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
Debugging with script
Can be reduced the amount of code by using a script.
8513년 7월 3일 수요일

86. #include <stdio.h>
void code1(void)
{
! printf("code1n");
}
void code2(void)
{
! printf("code2n");
}
void main(void)
{
! printf("hello worldn");
! code1();
! code2();
}
j_?code1@@YAXXZ call
?code1@@YAXXZ call
_printf call
__stbuf call
__isatty call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
__chkesp call
j_?code2@@YAXXZ call
?code2@@YAXXZ call
_printf call
__stbuf call
__isatty call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
__chkesp call
_main_0 call
_main call
_printf call
__stbuf call
__isatty call
__malloc_dbg call
__nh_malloc_dbg call
__heap_alloc_dbg call
__CrtDefaultAllocHook call
__heap_alloc_base call
_memset call
_memset call
_memset call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
Debugging with script
Can be reduced the amount of code by using a script.
8613년 7월 3일 수요일

87. Debugging with script
#include <stdio.h>
void code1(void)
{
! printf("code1n");
}
void code2(void)
{
! printf("code2n");
}
void main(void)
{
! printf("hello worldn");
! code1();
! code2();
}
j_?code1@@YAXXZ call
?code1@@YAXXZ call
_printf call
__stbuf call
__isatty call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
__chkesp call
j_?code2@@YAXXZ call
?code2@@YAXXZ call
_printf call
__stbuf call
__isatty call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
__chkesp call
_main_0 call
_main call
_printf call
__stbuf call
__isatty call
__malloc_dbg call
__nh_malloc_dbg call
__heap_alloc_dbg call
__CrtDefaultAllocHook call
__heap_alloc_base call
_memset call
_memset call
_memset call
__output call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
write_char call
__ftbuf call
__flush call
__write call
Can be reduced the amount of code by using a script.
8713년 7월 3일 수요일

88. Fuzzing
Throw random bits at the program, and see if it handles them
Popular robust testing mechanism for software
Fast and Effective
Easy to implement
Two type of Fuzzing
Dumb Fuzzing
Smart Fuzzing
8813년 7월 3일 수요일

89. Approach
method
Code
Auditing
Reverse
Engineering
Start Exploitation
Find
Vulnerability
Fuzzing
Step
Smart Fuzz
Data Analysis
if you know
structure ?
Dumb FuzzData Modeling
Data Type
Classification
Fuzzing FlowChart
if Occurs
Crash ?
Crash
Analysis
N
Y
Y
N
8913년 7월 3일 수요일

90. Approach
method
Code
Auditing
Reverse
Engineering
Start Exploitation
Find
Vulnerability
Fuzzing
Step
Smart Fuzz
Data Analysis
if you know
structure ?
Dumb FuzzData Modeling
Data Type
Classification
Fuzzing FlowChart
if Occurs
Crash ?
Crash
Analysis
N
Y
Y
N
9013년 7월 3일 수요일

91. Approach
method
Code
Auditing
Reverse
Engineering
Start Exploitation
Find
Vulnerability
Fuzzing
Step
Smart Fuzz
Data Analysis
if you know
structure ?
Dumb FuzzData Modeling
Data Type
Classification
Fuzzing FlowChart
if Occurs
Crash ?
Crash
Analysis
N
Y
Y
N
9113년 7월 3일 수요일

92. Approach
method
Code
Auditing
Reverse
Engineering
Start Exploitation
Find
Vulnerability
Fuzzing
Step
Smart Fuzz
Data Analysis
if you know
structure ?
Dumb FuzzData Modeling
Data Type
Classification
Fuzzing FlowChart
if Occurs
Crash ?
Crash
Analysis
N
Y
Y
N
9213년 7월 3일 수요일

93. Specific Target through Fuzzing
File Format (File Fuzzing)
Network Protocol (Network Fuzzing)
ActiveX (ActiveX Fuzzing)
Browser (Browser Fuzzing)
Etc
9313년 7월 3일 수요일

94. Type of Fuzzing - Dumb Fuzzing
Dumb Fuzzing
Based on mutation
Little or no knowledge for the structure of the inputs is assumed
Most of the input data are invalid
Anomalies may be completely random or follow some heuristics
Anomalies are added to existing valid inputs
Example
ex) m3u, pls, asx, etc
9413년 7월 3일 수요일

95. Dumb fuzzing sample
File Format
[AAAAAAA....AAAA]
[normal data] + [AAAAAAA....AAAA]
[header] + [AAAAAAA....AAAA] + [eof]
Mutated normal file
Network Protocol
GET /AAAAAAA....AAAA.html HTTP/1.1
AAAAAAA....AAAA /indext.html HTTP/1.1
GET /index.html HTTTTTTTTTTTTTTTP/1.1
9513년 7월 3일 수요일

96. Type of Fuzzing - Smart Fuzzing
Smart Fuzzing
Based on generation
Knowledge for the structure of the inputs is needed
Test cases are generated from some description of the format
RFC, Documents
Consideration of data structure such as offset , checksum
9613년 7월 3일 수요일

97. Smart fuzzing sample
File Format
Consideration of data structure or relations
Variety of attack vectors
length, offset, object, etc
Use 010 binary editor template
free binary templates
(*.bmp , *.zip , *wav)
int int int flag
int length stringstring int length
datadatadatadata
int int intint
datadatadatadata
9713년 7월 3일 수요일

98. Smart fuzzing sample
POST index.html HTTP/ 1.1HTTP/ 1.1
Content-TypeContent-Type
application/x-www-
form-urlencoded
application/x-www-
form-urlencoded
Accept-EncodingAccept-Encoding gzip deflate
User-AgentUser-Agent Mozilla/ 4.0
Content-LengthContent-LengthContent-Length 100
HOSTHOST localhost :8080
Network Protocol
Consideration of data structure or relations
Variety of attack vectors
host, content-length, etc
9813년 7월 3일 수요일

99. Smart fuzzing sample
Active X
Parameter extraction
Input data to parameter
big data, invalid data, etc
Generate HTML Document
classID parameter value
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
A String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
B String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
C String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
D Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
E Integer{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE} F String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
G Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
H Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
I String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
J String
9913년 7월 3일 수요일

100. Smart fuzzing sample
Browser
Take W3C specification
Group together (methods / attributes / properties)
Replace input values with getRandomValue( )
<html>
<head>
<script>
var gl = document.createElement("canvas").getContext('experimental-webgl')
var texture = gl.createTexture()
gl.bindTexture(gl.TEXTURE_2D, texture)
gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0, gl.RGBA, gl.UNSIGNED_BYTE, null)
gl.texSubImage2D(gl.TEXTURE_2D, 0, 0, 0x7fffff00, 256, 256, gl.RGBA, gl.UNSIGNED_BYTE, new
Uint8Array(256 * 256 * 4))
</script>
</head>
</html>
CVE-2012-2896
10013년 7월 3일 수요일

101. Phase 3. Crash
5 Type of Crash
Read Access Violation near NULL
Read Access Violation not near NULL
Write Access Violation near NULL
Write Access Violation not near NULL
Unknown
10113년 7월 3일 수요일

102. What is Exploitable Crash ?
mov eax,dword ptr [esi+0Ch]
mov eax,dword ptr [ecx]
mov edx,dword ptr [eax+5Ch]
call edx
10213년 7월 3일 수요일

103. Demonstration
ActiveX module on Banking / Financial / Etc
10313년 7월 3일 수요일

104. Demonstration
ActiveX module on Banking / Financial / Etc
10413년 7월 3일 수요일

105. Demonstration
ActiveX module on Banking / Financial / Etc
10513년 7월 3일 수요일

106. Demonstration
ActiveX module on Banking / Financial / Etc
Occurs Stack Buffer
Overflow via strcpy( )
10613년 7월 3일 수요일

107. 10713년 7월 3일 수요일

108. Conclusion
Source Code
Auditing
Fuzzing
Reverse
Engineering
10813년 7월 3일 수요일

109. Conclusion
Diffing
Taint Analysis
Symbolic
Execution
Source Code
Auditing
Fuzzing
Reverse
Engineering
10913년 7월 3일 수요일

110. Thank You :)
11013년 7월 3일 수요일