Software flaw #1: Signed conversion vulnerability

To better understand this kind of flaw let's consider following code:

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>

int read_from_file()
{
    char size;
    char buf[32];
    buf[1] = 0;
    int fd;

    if((fd = open("fileSubverted", O_RDONLY)) == -1) {
        perror("[open file]");
        return -1;
    }

    if(read(fd, &size, sizeof(char)) == -1) {
        perror("[read size]");
        return -1;
    }
    if(size > 32) {
        fprintf(stderr, "Too big size\n");
        return -1;
    }

    unsigned char s = size;
    if(read(fd, buf, s) == -1) {
        perror("[read content]");
        return -1;
    }

    return 0;
}

int main()
{
    if(read_from_file() == -1)
        exit(1);

    return 0;
}
 

* the above code should work without an explicit casting of size variable to unsigned int type (the bolded line) but in my environment it doesn't - without this cast I get EDEFAULT (Bad address) error from read function.

Problem lies in implicit conversion of 'size' variable form char type to size_t (unsigned int) type, if user provides negative value for 'size' (let's say -2) it will pass the 'if(size > 32)' check and it will be converted to size_t type while invoking read(...) function which will be 0x000000fe in 2's complement representation. Provided that file is bigger than 32 bytes, 'buf' buffer overflow will occur.

Attack:

Commands below will generate file that will cause application to crash (Segmentation fault), due to buffer overflow which overwrites return address from read_from_file function:

echo -e '\xfe'`perl -e 'print "A"x250'` > maliciousFile

or in pure Bash:

echo -e '\xfe'`printf 'A%.0s' {1..255}` > maliciousFile

Countermeasures:

1) Best in this situation is to declare size variable as unsigned char

2) Change validation condition to: if( size < 0 || size > 32) { //generate error }

Simple intrusion detection using standard UNIX commands

After I'm done with configuring and hardening Linux server I'm doing "reference of the server" by writing output from several crucial commands to my laptop:

ps -x -o user,command

netstat -natuw
find / -uid 0 -perm -4000 -print

find / -size +10000k -print

crontab -u root -l

Then using this simple script on regular basis, I have chance to detect compromised boxes:

#!/bin/bash

function usage
{
    echo "Usage: $0 <hostname>"
}

function getSrvAddr
{
    case $1 in
        'hostname1' ) echo "ssh user@srv1.addr"
            ;;
        'hostname2' ) echo "ssh user@srv2.addr"
            ;;
        * ) echo -n ""
    esac
}

HOSTNAME=$1
REFERENCE_PATH=~/lab/configs/myServers/${HOSTNAME}
SERVER=`getSrvAddr "$HOSTNAME"`
CMDS=(
    "ps -x -o user,command"
    "netstat -natuw"
    "find / -uid 0 -perm -4000 -print"
    "find / -size +10000k -print"
    "crontab -u root -l"
)

if [ -z "$SERVER" ]; then
    usage
    exit 1
fi

i=0
for FILE in ${REFERENCE_PATH}/*; do
    echo
    echo "########################################################################"
    echo  ${SERVER} ${CMDS[$i]}
    echo "########################################################################"
    echo
    diff -w -u <(sort $FILE) <(${SERVER} ${CMDS[$i]} 2> /dev/null | sort)
    i=$((i+1))
done

Basically, what the script does is compare server's initial output from several UNIX commands with it's current output. Using this script I can easily extend it for more commands and more servers. It's very simple method of intrusion detection (and by no mean 100% reliable!) but it's good addition to other mechanisms that should be in place.

What works in software security testing

... at least in opinion's of two companies that treat software security more and more seriously (Microsoft) and lives from software (in)security (Matasano Chargen):

Here's an interesting series of articles from Microsoft

Here's much shorter article from Matasano

Introduction to fuzzing

Fuzzing is an effective technique for finding potential security bugs in software. I will show two examples of fuzzing using SPIKE and SPIKEfile frameworks.

SPIKE is framework for fuzzing network protocols. Let's say that we want to o fuzz UDP server that communicates using very simple protocol:

[length][string]

So in the packet there are sent: length (32 bit integer) and string (of earlier sent length). To fuzz it we create following SPIKE script (mz.spk):

s_blocksize_string("fileformat", 4);

s_block_start("fileformat");

s_string(" ");

s_string_variable("abc");

s_block_end("fileformat");

Now we can execute generic_send_udp fuzzer from SPIKE framework:

$ ./generic_send_udp 127.0.0.1 81 mz.spk 0 0 10

We can observe packets sent by the fuzzer with tcpdump:

$ sudo tcpdump -i lo -n -X udp port 81

SPIKEfile is fuzzer based on SPIKE for file formats fuzzing. Let's consider badly vulnerable, sample application that opens a file (with format identical with packet format that we discussed above):

 int main(int argc, char **argv)

{

    FILE *f = fopen(argv[1], "r");

    int num;

    char array[650] = {0};

    fscanf(f, "%d %s", &num, array);

    fclose(f);

    printf("num: %d, array: %s\n", num, array);

    return 0;

}

As we can see, data from the file is copied to array without any length checking. We will fuzz it the same way as previous (using the same SPIKE script) but with SPIKEfile fuzzer:

$ ./SPIKEfile -f file.mz mz.spk 0 0 "./vuln_app %FILENAME%"

On each crash SPIKEfile will generate report with stack dump.

This two simple examples show philosophy behind fuzzing using SPIKE based fuzzers. When we have more complicated network protocol or file format, our SPIKE script is much longer (the better we now fuzzed protocol/file format the more effective fuzzing becomes) but the approch is the same.

hping2 and tcpdump

Common use cases:

1) configuring tcpdump to display all packets with your machine's IP address and the IP address of the target machine, in either direction

# tcpdump -nn host <my_machine_ip> and host <target_machine_ip>

2) Pinging with choosen payload

$ hping2 --icmp --data 40 --file <file_with_payload> <dest_addr>

# tcpdump -nnX icmp    # shows us only icmp traffic in hex and ASCII formats without any names

3) Lunching "land attack"*

$ hping2 --count 1 --baseport 80 --destport 80 --syn --spoof <victim_addr> <victim_addr>

# tcpdump -nn tcp and host <victim_addr>

* land attack is an attack in which SYN packet with src IP addr equal to dest IP addr and src port equal to dst port is sent to the victim

Challenge 7 of the Forensic Challenge 2011

Challenge 7 "Forensic analysis of a compromised server" from the Honeynet Project has come to the end. I've got 20 from 23 possible points plus 2 bonus points - not bad at all! Here you can find my answers.

The power of Awk

Recently I've been busy with analyzing results of Challenge 5 of the Honeynet Forensic Challenge. The winner has written nice script for analyzing auth.log file. The script is written in Python and can be found here. I decided to implement such script in Awk. It turned out tha Awk is perfectly suited to this kind of work, here's the script:

cat auth.log | awk '

    $0 !~ /sshd/ {next};

    {ip=$11};

    /invalid/ {ip=$13};

    /Failed/ {

        Fails[ip] += 1;

        if(Fails[ip] == 1)

            StartTime[ip] = $1 " " $2 " " $3;

        EndTime[ip] = $1 " " $2 " " $3;

    };

    /Accepted/ {

        if(Fails[ip] > 0) {

            Accepts[ip] += 1;

            Details[ip] = sprintf("%s %s %s\n", Details[ip], $1 " " $2 " " $3, $9);

        }

    };

    END {

        for(key in Fails) {

            if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) {

                print "Attacker IP: " key

                print "Start time: " StartTime[key]

                print "End time: " EndTime[key]

                print "Login attempts: " Fails[key]

                if(Accepts[key] > 0) {

                    print "Successfull attempts: " Accepts[key];

                    print Details[key];

                }

                printf "\n"

            }

        }

    }'

About 26 lines of code as opposed to 136 lines of Python version!

And here's one-liner (shorter but less verbose) version of the script:

 $ cat auth.log | awk '$0 !~ /sshd/ {next}; {ip=$11}; /invalid/ {ip=$13}; /Failed/ {Fails[ip] += 1 }; /Accepted/ {if(Fails[ip] > 0) Accepts[ip] += 1 }; END { for(key in Fails) {if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) print key": "Fails[key] "\t Successes: " Accepts[key]} }'