Format String Vulnerabilities

But first...

Let's study a worm!

The Ramen Worm

Ramen is an Internet worm, which propagates from a Linux based server to another.
Infection similar to Morris worm.
The worm exploits found exploits of wu-ftpd, rpc.statd and lpd services.

Creates directory "/usr/src/.poop/"
copies itself as remen.tgz
Runs a bash script with root access which does a couple of stuff.

...

Guess how does it exploit and propagate to other systems?

FORMAT STRING VULNERABILITIES!

The weak?

wu-ftp upto 2.6.0
Rpc.statd
LPRng

the creator apparently did not leave a back door to regain shell access to the machine
the shell scripts for modifying the FTP exploit are written for both RedHat 6.2 (bd62.sh) and RedHat 7.0 (bd7.sh).
Hence, the creator takes unnecessary steps to fix the wu-ftpd exploit hole and also attempts to fix the same hole in RedHat 7.0 (bd7.sh), which is not even affected by this specific exploit.

\xDE\xAD\xBE\xEF_%x%x%x%n

Format String Vulns

How does a format string vulnerability looks like?

#include <stdio.h>

void function(char *user) {
    printf(user);
}

The stack!

The behaviour of the format function is controlled by the format string. The function retrieves the parameters requested by the format string from the stack

So what is the stack anyway?

The stack ...

Stack is used largely during a function call but depending on the language and level of programming it may be used to temporarily store processor register data or other variables.

Is this vulnerable?

{
    char buffer[512];
    snprintf (buffer, sizeof (buffer), user);
    buffer[sizeof (buffer) - 1] = ’\0’;
}

from wu-ftp 2.6!

{
    char buffer[512];
    snprintf (buffer, sizeof (buffer), user);
    buffer[sizeof (buffer) - 1] = ’\0’;
}

Format String Vulnerabilities

But first...

The weak?

the creator apparently did not leave a back door to regain shell access to the machine

the shell scripts for modifying the FTP exploit are written for both RedHat 6.2 (bd62.sh) and RedHat 7.0 (bd7.sh).

Hence, the creator takes unnecessary steps to fix the wu-ftpd exploit hole and also attempts to fix the same hole in RedHat 7.0 (bd7.sh), which is not even affected by this specific exploit.

\xDE\xAD\xBE\xEF_%x%x%x%n

Format String Vulns

How does a format string vulnerability looks like?

The stack!

The stack ...

Is this vulnerable?

from wu-ftp 2.6!

Now is it vulnerable?

Before trying to exploit a service. We need a little low level prespective!

Useful format specifiers

%n

Instead of loading, it writes to the memory location on the stack.

%x

Reads a 32bit integer from the stack and displays it in hex.

Let's play Narnia!

Title Text

Subtitle

Format String vulnerabilities

Format String vulnerabilities

Aneesh Dogra

Format String Vulnerabilities

But first...

The weak?

the creator apparently did not leave a back door to regain shell access to the machine

the shell scripts for modifying the FTP exploit are written for both RedHat 6.2 (bd62.sh) and RedHat 7.0 (bd7.sh).

Hence, the creator takes unnecessary steps to fix the wu-ftpd exploit hole and also attempts to fix the same hole in RedHat 7.0 (bd7.sh), which is not even affected by this specific exploit.

\xDE\xAD\xBE\xEF_%x%x%x%n

Format String Vulns

How does a format string vulnerability looks like?

The stack!

The stack ...

Is this vulnerable?

from wu-ftp 2.6!

Now is it vulnerable?

Before trying to exploit a service. We need a little low level prespective!

Useful format specifiers

%n

Instead of loading, it writes to the memory location on the stack.

%x

Reads a 32bit integer from the stack and displays it in hex.

Let's play Narnia!

Title Text

Subtitle

Format String vulnerabilities

More from Aneesh Dogra