Sddsds
Páginas: 42 (10457 palabras)
Publicado: 28 de julio de 2012
Exploiting Format String Vulnerabilities
scut / team teso
September 1, 2001
version 1.2
Contents
1 Introduction
1.1 Buffer Overflows vs. Format String Vulnerabilities . . . . . .
1.2 Statistics: important format string vulnerabilities in 2000 . .
2
3
3
2 The
2.1
2.2
2.3
2.4
2.5
format functions
How does a format string vulnerability look like
The format function family. . . . . . . . . . .
Use of format functions . . . . . . . . . . . . .
What exactly is a format string ? . . . . . . . .
The stack and its role at format strings . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
4
5
6
6
7
3 Format string vulnerabilities
3.1 What do we control now ? . . . . . . . . . . . . . . . . . .
3.2 Crash of the program . . . . . . . . . . . . . .. . . . . .
3.3 Viewing the process memory . . . . . . . . . . . . . . . .
3.3.1 Viewing the stack . . . . . . . . . . . . . . . . . .
3.3.2 Viewing memory at any location . . . . . . . . . .
3.4 Overwriting of arbitrary memory . . . . . . . . . . . . . .
3.4.1 Exploitation - similar to common buffer overflows .
3.4.2 Exploitation - through pure format strings . . . . .
.
.
.
.
.
.
..
.
.
.
.
.
.
.
.
8
9
9
10
10
10
11
12
13
?
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4 Variations of Exploitation
18
4.1 Short Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2 Stack Popping . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Direct Parameter Access . . . . . . . . . . . . . . . . . .. . . 20
5 Brute Forcing
21
5.1 Response Based Brute Force . . . . . . . . . . . . . . . . . . . 21
5.2 Blind Brute Forcing . . . . . . . . . . . . . . . . . . . . . . . 23
2
1
6 Special Cases
6.1 Alternative targets . . . . . . .
6.1.1 GOT overwrite . . . . .
6.1.2 DTORS . . . . . . . . .
6.1.3 C library hooks . . . . .
6.1.4
atexit structures . . .
6.1.5 function pointers .. . .
6.1.6 jmpbuf’s . . . . . . . . .
6.2 Return into LibC . . . . . . . .
6.3 Multiple Print . . . . . . . . . .
6.4 Format string within the Heap
6.5 Special considerations . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
INTRODUCTION
.
.
.
.
..
.
.
.
.
.
23
23
24
25
25
25
25
26
26
26
27
28
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7 Tools
29
7.1 ltrace, strace . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.2 GDB, objdump . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1
Introduction
This article explains the nature of a phenomenon that has shocked the security community in the second half of the year 2000. Known as ‘format stringvulnerabilities’, a whole new class of vulnerabilities has been disclosed and
caused a wave of exploitable bugs being discovered in all kinds of programs,
ranging from small utilities to big server applications.
The article will try to explain the structure of the vulnerability and later
use this knowledge to build sophisticated exploits. It will show you how to
discover format string vulnerabilitiesin C source code, and why this new
kind of vulnerability is more dangerous than the common buffer overflow
vulnerability.
The article is based on a german speech I gave at the 17th Chaos Communication Congress [2] in Berlin, Germany. After the speech I got numerous
requests to translate it and received a lot of positive feedback. All this motivated me to revise the document, update and...
scut / team teso
September 1, 2001
version 1.2
Contents
1 Introduction
1.1 Buffer Overflows vs. Format String Vulnerabilities . . . . . .
1.2 Statistics: important format string vulnerabilities in 2000 . .
2
3
3
2 The
2.1
2.2
2.3
2.4
2.5
format functions
How does a format string vulnerability look like
The format function family. . . . . . . . . . .
Use of format functions . . . . . . . . . . . . .
What exactly is a format string ? . . . . . . . .
The stack and its role at format strings . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
4
5
6
6
7
3 Format string vulnerabilities
3.1 What do we control now ? . . . . . . . . . . . . . . . . . .
3.2 Crash of the program . . . . . . . . . . . . . .. . . . . .
3.3 Viewing the process memory . . . . . . . . . . . . . . . .
3.3.1 Viewing the stack . . . . . . . . . . . . . . . . . .
3.3.2 Viewing memory at any location . . . . . . . . . .
3.4 Overwriting of arbitrary memory . . . . . . . . . . . . . .
3.4.1 Exploitation - similar to common buffer overflows .
3.4.2 Exploitation - through pure format strings . . . . .
.
.
.
.
.
.
..
.
.
.
.
.
.
.
.
8
9
9
10
10
10
11
12
13
?
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4 Variations of Exploitation
18
4.1 Short Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2 Stack Popping . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Direct Parameter Access . . . . . . . . . . . . . . . . . .. . . 20
5 Brute Forcing
21
5.1 Response Based Brute Force . . . . . . . . . . . . . . . . . . . 21
5.2 Blind Brute Forcing . . . . . . . . . . . . . . . . . . . . . . . 23
2
1
6 Special Cases
6.1 Alternative targets . . . . . . .
6.1.1 GOT overwrite . . . . .
6.1.2 DTORS . . . . . . . . .
6.1.3 C library hooks . . . . .
6.1.4
atexit structures . . .
6.1.5 function pointers .. . .
6.1.6 jmpbuf’s . . . . . . . . .
6.2 Return into LibC . . . . . . . .
6.3 Multiple Print . . . . . . . . . .
6.4 Format string within the Heap
6.5 Special considerations . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
INTRODUCTION
.
.
.
.
..
.
.
.
.
.
23
23
24
25
25
25
25
26
26
26
27
28
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7 Tools
29
7.1 ltrace, strace . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.2 GDB, objdump . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1
Introduction
This article explains the nature of a phenomenon that has shocked the security community in the second half of the year 2000. Known as ‘format stringvulnerabilities’, a whole new class of vulnerabilities has been disclosed and
caused a wave of exploitable bugs being discovered in all kinds of programs,
ranging from small utilities to big server applications.
The article will try to explain the structure of the vulnerability and later
use this knowledge to build sophisticated exploits. It will show you how to
discover format string vulnerabilitiesin C source code, and why this new
kind of vulnerability is more dangerous than the common buffer overflow
vulnerability.
The article is based on a german speech I gave at the 17th Chaos Communication Congress [2] in Berlin, Germany. After the speech I got numerous
requests to translate it and received a lot of positive feedback. All this motivated me to revise the document, update and...
Leer documento completo
Regístrate para leer el documento completo.