Skip to main content

Exploits

  • The easiest way of getting access to a machine is having the user install something for you
  • A software or hardware bug that allows an attacker to circumvent an OS security perimeter

Memory Management

In C and C++ programmer preforms the memory management

  • Buffer Overruns
  • Stack Overruns
  • Heap Overruns Other languages manage this but have their own vulnerabilities

Buffer Overflows

  • When a program is executed, contiguous blocks of memory can be allocated to store arrays (buffer)
  • If data is written into a buffer that exceeds its size, an overflow occurs
  • The data will overwrite the memory beyond the buffer

Program Memory

  • Memory is stored in a virtual address space
  • Parts of the program are held in different regions by convention
  • Different restrictions are placed on these regions

The Stack

  • In C and C+, low level functions perform no bounds checking at all
  • If str is long, can write into other memory

Stack Smashing

  • By crafting the string, can overwrite the buffer and return address with custom exploit code

Protection: Canaries

  • Stack canaries modify the prologue and epilogue of all functions to check a value in front of the return address is unchanged
  • If the canary value can be worked out there is no issue.

Data Execution Prevention (NX)

  • Modern operating systems (where possible) will mark the stack as non-executable
    • NX on AMD, XD on intel, XN on arm
  • An NX stack means that adding in our exploit code wont work
  • Can circumvent this using a return-to-libc attack

Further protection

  • Defeat ret2libc, various 0x0 null bytes are inserted into standard library addresses
  • Developers also restrict access to obvious system calls
  • Address Space Layout Randomisation (ASLR) moves the address of library and programs around
  • Don't have to move too much before your hand-crafted ret address will break

Race Conditions - With concurrent threads or processes, timing can lead to security vulnerabilities. Where items rely on another thing at the same time

Heartbleed

  • Bug in OpenSSL
  • Specifically targets the heartbeat extension - buffer over-read
  • Extension to regular SSL
  • Used to keepalive purposes, to stop quiet connections being closed
  • Not always used, optional in SSL