- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Buffer Overflows and Java?!
It is widely assumed that Java is immune to buffer overflow problems. To a large extent this is true. Because Java has a type-safe memory model, falling off the end of an object and spilling elsewhere is not possible. This obviates many buffer overflow attacks. In fact, millions
• |
Table of Contents |
|
of dollars have been spent on the JVM, making the software environment resistant to many |
||
• |
Ind[8]ex |
As we know by now, any assumption about security is subject to |
classic attacks. |
ExploitinginterpretationSoftware(andHowrevision)to Break.CodeThe JVM may be structurally sound, but Java-based technology
has been exploited many times in public forums.
ByGreg Hoglund,Gary McGraw
[8] For a brief history of serious security problems in the JVM, however, see Securing Java [McGraw and
Publisher: Addison Wesley
Felten, 1998].
Pub Date: February 17, 2004
Exploits against Java-based systems are typically language-based attacks (type confusion)
ISBN: 0-201-78695-8
and trust exploits (code-signing errors), but even the buffer overflow has been successfully
Pages: 512
wielded from time to time against Java. Problem overflows typically occur in supporting code that is external to the JVM.
The JVM itself is often written in C for a given platform. This means that without careful attention to implementation details, the JVM itself may be susceptible to buffer overflow
How does software break? How do attackersimplementationake software break on purpose? Why are problems. Sun Microsystem's JVM reference is quite well inspected, however,
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? and static checks for vulnerable system calls yield little in the way of targets.
What tools can be used to break software? This book provides the answers.
The JVM itself aside, many buffer overflow problems in systems that include Java come about
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and because of supporting code. As an example, consider the Progress relational database
techniques used by bad guys to break software. If you want to protect your software from management system in which the jvmStart program will SEGV if large input parameters are
attack, you must first learn how real attacksagain)re really carried out.
supplied on the command line. This (once illustrates why software designers need to
consider entire systems and not simply constituent components
This must-have book may shock you—and it will certainly educate you.Getting beyond the |
||
script kiddie treatment found in many hacking books, you will learn about |
Next |
|
Previous |
< Day Day Up > |
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Content-Based Buffer Overflow
Data files are ubiquitous. They are used to store everything from documents to content media and critical computer settings. Every file has an inherent format that often encompasses special information such as file length, media type, and which fonts are boldface, all encoded
• |
Table of Contents |
directly in the data file. The attack vector against data files like these is simple: Mess up the |
|
• |
Index |
data file and wait for some unsuspecting user to open it.
Exploiting Software How to Break Code
Some kinds of files are strikingly simple and others have complex binary structures and
ByGreg Hoglund,Gary McGraw
numerical data embedded in them. Sometimes the simple act of opening a complex file in a
hex editor and tweaking a few bytes is enough to cause the (unsuspecting) program that
Publisher: Addison Wesley
consumes the file to crash and burn.
Pub Date: February 17, 2004
What'sISBN:really0-201interesting-78695-8 from an attacker's point of view is formatting data file-embedded poisonPages:pills512in such a way that virus code is activated. A great example of this involved the Winamp program in which an overly long IDv3 tag would cause a buffer overflow. In the header of an MP3 file, there is a location where a normal text string can be placed. This is called the IDv3 tag, and if an overly long tag were to be supplied, Winamp would suffer a buffer overflow. This could be used by an attacker to construct malicious music files that
attack the computer once they are opened in Winamp.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by badOverflowguys to break software. If you want to protect your software from
Attack Pattern: Binary Resource File
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
The attacker modifies a resource file, such as a sound, video, graphic, or font file. script kiddie treatment found in many hacking books, you will learn about
Sometimes simply editing the target resource file in a hex editor is possible. The attacker modifies headers and structure data that indicate the length of strings,
and so forth.
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
* AttackExample:patterns Overflow Binary Resource File in Netscape
Reverse engineering
There exists a buffer overflow in Netscape Communicator versions before version 4.7 that can
be exploited via a dynamic font with a length field less than the actual size of the font. Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
Attack Pattern: Overflow Variables and Tags
The technical details of buffer overflows
Rootkits
In this case, the target is a program that reads formatted configuration data and
parses a tag or variable into an unchecked buffer. The attacker crafts a malicious
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break HTML page or configuration file that includes oversized strings, thus causing an
software.
overflow.
* Attack Example: Overflow Variables and Tags in MidiPlug
A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.
* Attack Example: Overflow Variables and Tags in Exim
A buffer overflow in Exim allows local users to gain root privileges by providing a long
:include: option in a .forward file.
•Table of Contents
•Index
Exploiting Software How to Break Code
Attack Pattern: Overflow Symbolic Links
ByGreg Hoglund,Gary McGraw
A user often has direct control over symbolic links. A symbolic link can
Publisher: Addison Wesley
occasionally provide access to a file that might otherwise be out of bounds.
Pub Date: February 17, 2004
Symbolic links provide similar avenues of attack as configuration files, although
ISBN: 0-201-78695-8
they are one level of indirection away. Remember that the target software will consumePages:the512data pointed to by the link file and sometimes use it to set variables. This often leads to an unchecked buffer.
*HowAttackdoes softwareExample:br ak?OverflowHow do attackerswith Symbolicmake s ftwareLinksbreakinonEFTPpurpose?ServerWhy are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
The EFTP server has a buffer overflow that can be exploited if an attacker uploads a .lnk
(link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and overflow. First the attacker uploads some content (the link file) and then the attacker causes
techniques used by bad guys to break software. If you want to protect your software from the client consuming the data to be exploited. In this example, the ls command is exploited
attack, you must first learn how real attacks are really carried out. to compromise the server software.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
AttackWhy softwarePattern:exploitMIMEwillConversioncontinue to be a serious problem
When network security mechanisms do not work
The MIME system is designed to allow various different information formats to be
interpreted and sent via e-mail. Attack points exist when data are converted to Attack patterns
MIME-compatible format and back.
Reverse engineering
Classic attacks against server software
* Attack Example: Sendmail Overflow
Surprising attacks against client software
A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Attack Pattern: HTTP Cookies
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Because HTTP is a stateless protocol, cookies (small files that are stored in a client browser) were invented, mostly to preserve state. Poor design of cookie handling systems leaves both clients and HTTP daemons susceptible to buffer overflow attack.
* Attack Example: Apache HTTPD Cookie Buffer Overflow
The Apache HTTPD is the most popular Web server in the world. HTTPD has built-in mechanisms to handle cookies. Versions 1.1.1 and earlier suffer from a cookie-induced buffer overflow.
All of these examples are just the tip of the iceberg. Client software programs are almost never well tested, let alone tested explicitly for security. One particularly interesting aspect of client-side exploits is that the exploit code ends up executing with whatever permissions the
• |
Table of Contents |
user has. This means the code ends up with access to everything the user has access |
|
• |
Index |
to—including interesting things like e-mail and confidential data.
Exploiting Software How to Break Code
Many of these attacks are particularly potent, especially when they are used in concert with
ByGreg Hoglund,Gary McGraw
social engineering. If, as an attacker, you can get somebody to open a file, you can usually
install a rootkit. Of course, because of the up-close and personal nature of opening a file,
Publisher: Addison Wesley
attack code needs to be stealthy to remain undetected.
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.