- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Audit Truncation and Filters with Buffer Overflow
Sometimes very large transactions can be used to destroy a log file or cause partial logging failures. In this kind of attack, log processing code might be examining a transaction in realtime processing, but the oversized transaction causes a logic branch or an exception of some
• |
Table of Contents |
kind that is trapped. In other words, the transaction is still executed, but the logging or |
|
• |
Index |
filtering mechanism still fails. This has two consequences, the first being that you can run
ExploitingtransactionsSoftwarethatHoware notto BreakloggedCodein any way (or perhaps the log entry is completely
corrupted). The second consequence is that you might slip through an active filter that
ByG eg Hoglund,Gary McGraw otherwise would stop your attack.
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Attack Pattern: Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. If the filter fails "open" you win.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
* Attack Example: Filter Failure in Taylor UUCP Daemon
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from Sending in arguments that are too long to cause the filter to fail open is one instantiation of
attack, you must first learn how real attacks are really carried out.
the filter failure attack. The Taylor UUCP daemon is designed to remove hostile arguments
before they can be executed. If the arguments are too long, however, the daemon fails to
This must-have book may shock you—and it will certainly educate you.Getting beyond the remove them. This leaves the door open for attack.
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Causing Overflow with Environment Variables
A number of attacks are based on playing with environment variables. Environment variables are yet another location where buffer overflow can be used to serve up a nice platter of untrusted bytes. In the case of environment variables, the target program is taking input that
• Table of Contents
should never be trusted and is using it somewhere really important.
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
AttackPublisher:Pattern:Addison WesleyBuffer Overflow with Environment Variables
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Programs consume a huge number of environment variables, but they often do so in unsafePages:ways512 . This attack pattern involves determining whether a particular environment variable can be used to cause the program to misbehave.
* Attack Example: Buffer Overflow in $HOME
How does software br ak? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? WhatA buffertoolsoverflowcan beinusedsccwtoallowsbreaklocalsoftwarusers? Thisto gainbookrootprovidesaccesstheviaanswersthe $HOME. environmental
variable.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
* Attack Example: Buffer Overflow in TERM
This must-have book may shock you—and it will certainly educate you.Getting beyond the Ascriptbufferkiddieov rflowtreatmentin thefoundrlogininprogrammany hackinginvolvesbooks,its consyoumptionwill learnof theaboutTERM environmental variable.
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
AttackPattern:patt s Buffer Overflow in an API Call
Reverse engineering
Libraries or shared code modules can suffer from buffer overflows too. All clients
that make use of the code library thus become vulnerable by association. This has Classic attacks against server software
a very broad effect on security across a system, usually affecting more than one
software process.
Surprising attacks against client software
Techniques for crafting malicious input
* AttackThe technicalExample:detailsLibcof bufferin FreeBSDov rflows
Rootkits
A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many
programs at risk all at once.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
* Attack Example: Xtlib
A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges.
Attack Pattern: Buffer Overflow in Local Command-line
Utilities
•Command-lineTableutilitiesof Contentsavailable in a number of shells can be used to escalate
•privilege toIndexroot.
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
* Attack Example: HPUX passwd
Publisher: Addison Wesley
Pub Date: February 17, 2004
A buffer overflow in the HPUX passwd command allows local users to gain root privileges via
ISBN: 0-201-78695-8
a command-line option.
Pages: 512
* Attack Example: Solaris getopt
A buffer overflow in Solaris's getopt command (found in libc) allows local users to gain root How does software break? How do attackers make software break on purpose? Why are
privileges via a long argv[0].
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
The Multiple Operation Problem
Whenever data are manipulated by a function, the function should track exactly what it's doing to the data. This is straightforward when only one function is "munging" data. But when multiple operations are working on the same data, keeping track of the effects of each
• |
Table of Contents |
operation gets much harder. Incorrect tracking leads to big problems. This is especially true if |
|
• |
Index |
the operation changes a string somehow.
Exploiting Software How to Break Code
There are a number of common operations on strings that will change the size of the string.
ByGreg Hoglund,Gary McGraw
The problem we're discussing occurs if the code performing the conversion does not resize
the buffer that the string lives in.
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Attack Pattern: Parameter Expansion
If supplied parameters are expanded into a larger string by a function, but the
larger size is not accounted for, an attacker gains a foothold. This happens when
How does software break? How do attackers make software break on purpose? Why are
theoriginal string size may be (incorrectly) considered by later parts of the
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
program.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
* Attack Example: FTP glob()
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the Theglob() function in FTP servers has been susceptible to attack as a result of incorrect
script kiddie treatment found in many hacking books, you will learn about resizing.
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.