Format String Vulnerabilities
But first...
Let's study a worm!
The Ramen Worm
- Ramen is an Internet worm, which propagates from a Linux based server to another.
- Infection similar to Morris worm.
- The worm exploits found exploits of wu-ftpd, rpc.statd and lpd services.
- Creates directory "/usr/src/.poop/"
- copies itself as remen.tgz
- Runs a bash script with root access which does a couple of stuff.
...
Guess how does it exploit and propagate to other systems?
FORMAT STRING VULNERABILITIES!
The weak?
- wu-ftp upto 2.6.0
- Rpc.statd
- LPRng
-
the creator apparently did not leave a back door to regain shell access to the machine
-
the shell scripts for modifying the FTP exploit are written for both RedHat 6.2 (bd62.sh) and RedHat 7.0 (bd7.sh).
-
Hence, the creator takes unnecessary steps to fix the wu-ftpd exploit hole and also attempts to fix the same hole in RedHat 7.0 (bd7.sh), which is not even affected by this specific exploit.
\xDE\xAD\xBE\xEF_%x%x%x%n
Format String Vulns
How does a format string vulnerability looks like?
#include <stdio.h>
void function(char *user) {
printf(user);
}
The stack!
The behaviour of the format function is controlled by the format string. The function retrieves the parameters requested by the format string from the stack
So what is the stack anyway?
The stack ...
Stack is used largely during a function call but depending on the language and level of programming it may be used to temporarily store processor register data or other variables.
Is this vulnerable?
{
char buffer[512];
snprintf (buffer, sizeof (buffer), user);
buffer[sizeof (buffer) - 1] = ’\0’;
}
from wu-ftp 2.6!
{
char buffer[512];
snprintf (buffer, sizeof (buffer), user);
buffer[sizeof (buffer) - 1] = ’\0’;
}
Now is it vulnerable?
Before trying to exploit a service. We need a little low level prespective!
Useful format specifiers
%n
Instead of loading, it writes to the memory location on the stack.
%x
Reads a 32bit integer from the stack and displays it in hex.
Let's play Narnia!
Title Text
Subtitle
Format String vulnerabilities
By Aneesh Dogra
Format String vulnerabilities
- 505