 |
python_feedgen_maxwelldulin.invades.space.rss.xml - sfeed_tests - sfeed tests a… |
 |
git clone git://git.codemadness.org/sfeed_tests |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
python_feedgen_maxwelldulin.invades.space.rss.xml (96900B) |
|
--- |
|
1 <?xml version='1.0' encoding='UTF-8'?> |
|
2 <rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl… |
|
3 |
|
4 <h2>Introduction</h2> |
|
5 <p> |
|
6 Recently, a friend of mine (from outside the United States) had a third … |
|
7 </p> |
|
8 |
|
9 <h2>Back to the Basics</h2> |
|
10 |
|
11 <p> |
|
12 If accounts exists on a website there are some basic features of it: |
|
13 <ul> |
|
14 <li>Create Account</li> |
|
15 <li>Login</li> |
|
16 <li>Forgot Password/ Password Reset</li> |
|
17 <li>Update Account</li> |
|
18 <li>Delete Account</li> |
|
19 <li>View Account</li> |
|
20 </ul> |
|
21 |
|
22 If any of these is done in insecure way, major havoc can occur. In this … |
|
23 </p> |
|
24 |
|
25 <h3> |
|
26 Basic Flow of Password Reset |
|
27 </h3> |
|
28 <p> |
|
29 What do you do if a user forgets their password? Well, you want them to … |
|
30 </p> |
|
31 <p> |
|
32 Generally, a users account is tied to an email. With this, the website c… |
|
33 </p> |
|
34 |
|
35 <!-break--> |
|
36 |
|
37 <p> |
|
38 Once the link is clicked on, a user can select their new password. When … |
|
39 </p> |
|
40 |
|
41 <h2> |
|
42 What Went Wrong #1 - Email Enumeration (Low) |
|
43 </h2> |
|
44 <p> |
|
45 From the very beginning, the reset functionality had issues. The initial… |
|
46 <div style="width:98%; font-size:80%; text-align:center; float : left… |
|
47 |
|
48 With a valid email, it just said that the email had been sent. |
|
49 </p> |
|
50 <p> |
|
51 But, why is this bad? Because it is trivial to distinguish between a val… |
|
52 </p> |
|
53 |
|
54 <h2> |
|
55 What Went Wrong #2 - Host Header Injection (High) |
|
56 </h2> |
|
57 |
|
58 <p> |
|
59 Now, this time, we are going to input a valid email address. Everything … |
|
60 </p> |
|
61 |
|
62 <h3> |
|
63 Host Header |
|
64 </h3> |
|
65 <p> |
|
66 HTTP sends a plethora of different headers on each request, such as the … |
|
67 <code>Specifies the domain name of the server. |
|
68 </code> by Mozilla. In layman's terms, this simply means the host … |
|
69 </p> |
|
70 |
|
71 <p> |
|
72 Even though the Host is set in the browser on a normal request (and cann… |
|
73 </p> |
|
74 |
|
75 <h3> |
|
76 Havoc |
|
77 </h3> |
|
78 <p> |
|
79 The Host Header is sometimes used in order to create links from it. So, … |
|
80 <div style="width:98%; font-size:80%; text-align:center; float : left… |
|
81 </p> |
|
82 |
|
83 <p> |
|
84 What's the attack here though? Well, this means that when the link is cl… |
|
85 |
|
86 <div style="width:98%; font-size:80%; text-align:center; float : left… |
|
87 </p> |
|
88 |
|
89 <h2> |
|
90 What Went Wrong #3 - Short Reset Token (Medium/High) |
|
91 </h2> |
|
92 <p> |
|
93 If we ignore the first issue (that takes a single click from the user) w… |
|
94 </p> |
|
95 <p> |
|
96 Mathematically, this is 10^6 or 1,000,000 chances. With no throttling an… |
|
97 </p> |
|
98 |
|
99 <p> |
|
100 By requesting a reset email for a single user then attempting <i>e… |
|
101 </p> |
|
102 |
|
103 <h2> |
|
104 What Went Wrong #4 - Lack of Server Side Validation (Critical) |
|
105 </h2> |
|
106 |
|
107 <p> |
|
108 You are probably thinking <i>'There are already two ways to take o… |
|
109 </p> |
|
110 |
|
111 <p> |
|
112 Upon clicking on the link to go back to the website, the magic token was… |
|
113 |
|
114 </p> |
|
115 |
|
116 <h3> |
|
117 Lack of Validation of Token |
|
118 </h3> |
|
119 <p> |
|
120 The first request validates the password reset token. But, the second re… |
|
121 <div style="width:98%; font-size:80%; text-align:center; float : left… |
|
122 |
|
123 Notice that the above request does not include the <i>magic value&… |
|
124 </p> |
|
125 |
|
126 |
|
127 <h2> |
|
128 Fixing |
|
129 </h2> |
|
130 <p> |
|
131 The creators of the website were from a third world country where Englis… |
|
132 </p> |
|
133 |
|
134 <p> |
|
135 After reporting the findings, the token was being validated on the backe… |
|
136 </p> |
|
137 |
|
138 <h2> |
|
139 Test Cases |
|
140 </h2> |
|
141 |
|
142 <p> |
|
143 Password reset functionality is one of the hardest aspects of the user e… |
|
144 <ul> |
|
145 <li>Username/email enumeration</li> |
|
146 <li>Host Header Injection</li> |
|
147 <li>Insufficient Length of Reset Tokens </li> |
|
148 <li>Lack of Validation of Magic Values</li> |
|
149 <li>Extended Expiration Time on Token</li> |
|
150 <li>Lack of Brute Force Protections</li> |
|
151 </ul> |
|
152 |
|
153 Besides the issues described above, there are a few more that should be … |
|
154 |
|
155 <ul> |
|
156 <li>Sending New Passwords over Email</li> |
|
157 <li>Lack of Two Factor Authentication</li> |
|
158 <li>Multiple Uses for a Single Reset Token</li> |
|
159 <li>Reset tokens Not Specific To User</li> |
|
160 </ul> |
|
161 |
|
162 This is a fairly good list for testing password reset functionality. But… |
|
163 </p> |
|
164 |
|
165 <h3> |
|
166 Defense In Depth |
|
167 </h3> |
|
168 <p> |
|
169 Some of the issues listed above do not lead to a direct compromise of th… |
|
170 </p> |
|
171 |
|
172 <p>For instance, the <i>insufficient token length</i> … |
|
173 </p> |
|
174 |
|
175 <p> |
|
176 Overall, adding slight security optimizations makes the overall security… |
|
177 </p> |
|
178 |
|
179 |
|
180 <h2> |
|
181 Conclusion |
|
182 </h2> |
|
183 <p> |
|
184 Security is hard to get right! This is why having hackers poke around is… |
|
185 </p></description><guid isPermaLink="false">https://maxwelldulin.c… |
|
186 Introduction |
|
187 </h2> |
|
188 <p> |
|
189 Exploiting different heap libraries tends to be difficult, complex and r… |
|
190 </p> |
|
191 |
|
192 <p>In this article, I wanted to shed more light on the exploitatio… |
|
193 </p> |
|
194 |
|
195 <p> |
|
196 Just as a fair warning, this article has quite a bit of background knowl… |
|
197 <ul> |
|
198 <li>Malloc Chunk (general)</li> |
|
199 <li>Mmap and Munmap</li> |
|
200 <li>Malloc Mmap Chunks </li> |
|
201 <li>ELF Symbol Resolution</li> |
|
202 </ul> |
|
203 </p> |
|
204 |
|
205 |
|
206 <p> |
|
207 The article also comes with a working POC on version 2.31 of Malloc on m… |
|
208 </p> |
|
209 |
|
210 <h2> |
|
211 GLibC Malloc Background |
|
212 </h2> |
|
213 |
|
214 <h3> |
|
215 Chunks |
|
216 </h3> |
|
217 |
|
218 <p> |
|
219 Chunks are the main object that users interact with. There are two main … |
|
220 <div style="width: 98%; font-size:80%; text-align:center; float : lef… |
|
221 |
|
222 |
|
223 The first field is the size of the previous chunk (prev_size). This is o… |
|
224 </p> |
|
225 |
|
226 <p> |
|
227 On an allocated (non-free) chunk, the third and fourth field are used as… |
|
228 </p> |
|
229 |
|
230 <p> |
|
231 This is a very small background on chunks but is all that is needed for … |
|
232 </p> |
|
233 |
|
234 <h2> |
|
235 Mmap and Munmap |
|
236 </h2> |
|
237 <p> |
|
238 <i>Mmap</i> is used in order to create a new address mapping… |
|
239 </p> |
|
240 |
|
241 <p> |
|
242 Munmap is the opposite of mmap: <i>munmap</i> deletes the ma… |
|
243 </p> |
|
244 |
|
245 <h2> |
|
246 GLibC Malloc Mmap Chunks |
|
247 </h2> |
|
248 <p> |
|
249 In Malloc, if a requested size is above a certain threshold then a separ… |
|
250 </p> |
|
251 |
|
252 <h3> |
|
253 Mmap Chunks Differences |
|
254 </h3> |
|
255 |
|
256 <p> |
|
257 <div style="width:97%; font-size:80%; text-align:center; border: 1px … |
|
258 |
|
259 Once an mmap chunk is freed, they are sent back to system memory with a … |
|
260 </p> |
|
261 |
|
262 <p> |
|
263 |
|
264 With mmap chunks, the prev_size field is used for part of the chunk that… |
|
265 </p> |
|
266 |
|
267 <p> |
|
268 The final difference is that the second bit of the size is used in order… |
|
269 </p> |
|
270 |
|
271 <h3> |
|
272 Munmap Madness |
|
273 </h3> |
|
274 |
|
275 <p> |
|
276 With the funky handling of mmap chunks in GLibC, it was bound that someb… |
|
277 </p> |
|
278 |
|
279 <p> |
|
280 What we are taking from the the <i>Munmap Madness</i> articl… |
|
281 </p> |
|
282 |
|
283 |
|
284 <h2> |
|
285 Symbol Lookup |
|
286 </h2> |
|
287 <p> |
|
288 With ELF files, one would think that Symbol Lookup would be a trivial ta… |
|
289 </p> |
|
290 |
|
291 <h3> |
|
292 PLT and GOT |
|
293 </h3> |
|
294 |
|
295 <p> |
|
296 Have you ever wondered <b>how</b> library functions are magi… |
|
297 </p> |
|
298 |
|
299 <div style="width:97%; float:left; font-size:80%; text-align:center; … |
|
300 |
|
301 <p> |
|
302 First off, a library function call is replaced with a function stub, kno… |
|
303 </p> |
|
304 |
|
305 <p> |
|
306 The <i>first time</i> a call is made, the process is passed … |
|
307 </p> |
|
308 |
|
309 <p> |
|
310 The next time that the PLT entry for a function is called, the entry is … |
|
311 </p> |
|
312 |
|
313 <p> |
|
314 For more information on the PLT and GOT, please refer to the <a href=… |
|
315 </p> |
|
316 |
|
317 <h3> |
|
318 Symbol Resolving (ld) |
|
319 </h3> |
|
320 |
|
321 <p> |
|
322 Now, here is the black magic-y part: <i>how does the loader know w… |
|
323 </p> |
|
324 |
|
325 <h2> |
|
326 Game Plan |
|
327 </h2> |
|
328 <p> |
|
329 Whooo... that was a lot of background information just to understand thi… |
|
330 </p> |
|
331 |
|
332 <p> |
|
333 The plan for exploitation is as follows: |
|
334 <ol> |
|
335 <li> |
|
336 Overwrite mmap chunk <i>size</i> or <i>prev_size</i… |
|
337 </li> |
|
338 <li>Free the mmap chunk (with munmap) to override part of the memo… |
|
339 <li>Get mmap chunk over the top of LibC region.</li> |
|
340 <li>Rewrite <code>.gnu.hash</code> and <code>.dy… |
|
341 <li>Call previously uncalled function for code execution.</li&g… |
|
342 </ol> |
|
343 |
|
344 At a high level, the steps are shown above. The goal is to rewrite the s… |
|
345 </p> |
|
346 |
|
347 <h2> |
|
348 Altering Mmap Chunk Size |
|
349 </h2> |
|
350 <h3> |
|
351 Why? |
|
352 </h3> |
|
353 <p> |
|
354 The purpose of this step is to change the size of the chunk to <i>… |
|
355 </p> |
|
356 |
|
357 <h3> |
|
358 Mmap Chunk Review |
|
359 </h3> |
|
360 <p> |
|
361 Mmap chunks have two main components that dictate the addresses to be fr… |
|
362 </p> |
|
363 |
|
364 <p> |
|
365 By altering the <i>size</i> of a chunk, we can control the a… |
|
366 </p> |
|
367 |
|
368 <h3> |
|
369 Valid Chunks |
|
370 </h3> |
|
371 |
|
372 <p> |
|
373 For an mmap chunk, the following must to be true: |
|
374 <ul> |
|
375 <li>Mmap bit must be set (2nd bit of the size metadata)</li> |
|
376 <li><code>prev_size + size</code> must to be a page si… |
|
377 </ul> |
|
378 |
|
379 The source code for both of these checks can be seen in Figure 2 (way ab… |
|
380 </p> |
|
381 |
|
382 <h3> |
|
383 Chunk Attack Size |
|
384 </h3> |
|
385 <p> |
|
386 The size of the chunk is different on a case by case basis. The importan… |
|
387 </p> |
|
388 |
|
389 <p> |
|
390 In general, the size to overwrite with can be calculated with the follow… |
|
391 </p> |
|
392 |
|
393 <h2> |
|
394 Free the Chunk |
|
395 </h2> |
|
396 <p> |
|
397 From the previous step, we have created an mmap chunk that has a size ov… |
|
398 </p> |
|
399 |
|
400 <h2> |
|
401 Overlap Chunk with LibC |
|
402 </h2> |
|
403 |
|
404 <p> |
|
405 <div style="width:97%; font-size:80%; text-align:center; float : left… |
|
406 |
|
407 From the previous step, we have removed a significant portion of LibC fr… |
|
408 </p> |
|
409 |
|
410 Although the allocation appears to be simple, it is more complicated tha… |
|
411 <ul> |
|
412 <li>mmap_threshold</li> |
|
413 <li>Heap Locations</li> |
|
414 </ul> |
|
415 |
|
416 </p> |
|
417 |
|
418 <h3> |
|
419 mmap_threshold |
|
420 </h3> |
|
421 <p> |
|
422 Very large chunks (<i>mmap chunks</i>) are assigned in a com… |
|
423 </p> |
|
424 |
|
425 <p> |
|
426 When an mmap chunk is freed, the size of the chunk is checked with the &… |
|
427 </p> |
|
428 |
|
429 <p> |
|
430 If the size of the chunk being allocated is NOT larger than the mmap_thr… |
|
431 </p> |
|
432 <h3> |
|
433 Heap Locations |
|
434 </h3> |
|
435 <p> |
|
436 The heap locations is just about if the physical spot in memory is actua… |
|
437 </p> |
|
438 |
|
439 <p> |
|
440 Getting the mmap chunks directly behind LibC just requires some knowledg… |
|
441 |
|
442 <ul> |
|
443 <li>Memory above LibC and below the loader</li> |
|
444 <li>Below the mmap_base (practically, just below LibC). Allocation… |
|
445 </ul> |
|
446 </p> |
|
447 |
|
448 <p> |
|
449 Now that the chunk has been allocated into the proper location (over Lib… |
|
450 </p> |
|
451 |
|
452 <p> |
|
453 NOTE: Mmap initializes all memory to be NULL. So, all of the values from… |
|
454 </p> |
|
455 |
|
456 <h2> |
|
457 Rewriting LibC .gnu.hash and .dynsym |
|
458 </h2> |
|
459 <p> |
|
460 Recall, from the previous step, we control a chunk that overlaps with wh… |
|
461 </p> |
|
462 |
|
463 <p> |
|
464 Now begins the real fun :) Rewriting the symbol resolution process! In o… |
|
465 <ol> |
|
466 <li>Copy in the LibC sections byte for byte. Then, make several sm… |
|
467 <li>Completely reverse the process and deterministically figure ou… |
|
468 <li>Step through the code in GDB to understand the loader and writ… |
|
469 </ol> |
|
470 |
|
471 Option 1 is likely easiest but would not help me understand the resolvin… |
|
472 |
|
473 <p> |
|
474 After ruling out the copy-paste method of 1 and the hard reversing of 2,… |
|
475 </p> |
|
476 |
|
477 <h3> |
|
478 What Is Actually Needed? |
|
479 </h3> |
|
480 <p> |
|
481 First, let's setup a nice debugging ENV. Viewing assembly by itself is v… |
|
482 </p> |
|
483 <p> |
|
484 After stepping through a program with the source code hooked up, I reali… |
|
485 <ul> |
|
486 <li>l_gnu_bitmask</li> |
|
487 <li>l_gnu_buckets</li> |
|
488 <li>l_gnu_chain_zero</li> |
|
489 <li>Symbol Table Entry</li> |
|
490 </ul> |
|
491 |
|
492 The first three entries have to do with <b>locating</b> the … |
|
493 </p> |
|
494 |
|
495 <h3> |
|
496 Symbol Table Entry Locating |
|
497 </h3> |
|
498 <p> |
|
499 After setting up a version of LibC with debugging symbols and source cod… |
|
500 <div style="width:97%; font-size:80%; text-align:center; border: 1px … |
|
501 </p> |
|
502 |
|
503 <p> |
|
504 After reversing the symbol table resolving process for a while, it becam… |
|
505 </p> |
|
506 |
|
507 <p> |
|
508 The function <code>do_lookup_x</code> |
|
509 iterates all ELF files until it finds the one with the proper symbol. St… |
|
510 <ol> |
|
511 <li>Found a LibC value that is corrupted (this is going to be NULL… |
|
512 <li>Found <i>proper</i> value in non-corrupted version… |
|
513 <li>Wrote proper value to the same exact location in LibC (corrupt… |
|
514 <li>Repeat steps 1-3 until the entire symbol resolution process is… |
|
515 </ol> |
|
516 |
|
517 After repeating this step a handful of times, the proper values will be … |
|
518 </p> |
|
519 |
|
520 <h3> |
|
521 Symbol Tables |
|
522 </h3> |
|
523 <p> |
|
524 Once the entry has been located, faking the symbol table entry is very s… |
|
525 <pre> |
|
526 typedef struct { |
|
527 Elf64_Word st_name; |
|
528 unsigned char st_info; |
|
529 unsigned char st_other; |
|
530 Elf64_Half st_shndx; |
|
531 Elf64_Addr st_value; |
|
532 Elf64_Xword st_size; |
|
533 } Elf64_Sym; |
|
534 </pre> |
|
535 |
|
536 It is recommended that the <i>entire</i> symbol table entry … |
|
537 </p> |
|
538 |
|
539 <p> |
|
540 Assuming this is a relative offset entry (which can be altered with the … |
|
541 </p> |
|
542 |
|
543 <h2> |
|
544 Function Call |
|
545 </h2> |
|
546 <p> |
|
547 What can we call? We can call ANY function (or in the middle of a functi… |
|
548 </p> |
|
549 |
|
550 <p> |
|
551 The function that is going to be called must be a symbol table overwritt… |
|
552 </p> |
|
553 |
|
554 <p> |
|
555 This can be used to call <i>system</i>, a one_gadget, anothe… |
|
556 </p> |
|
557 |
|
558 <h2> |
|
559 Thoughts |
|
560 </h2> |
|
561 <p> |
|
562 Overall, this technique is pretty devastating but is extremely technical… |
|
563 </p> |
|
564 <h3> |
|
565 Pros |
|
566 </h3> |
|
567 <p> |
|
568 Very large chunks (mmap) are typically not discussed much with heap expl… |
|
569 </p> |
|
570 |
|
571 <p> |
|
572 Here are some pros to the technique: |
|
573 <ul> |
|
574 <li>Bypasses <u>address space layout randomization</u>… |
|
575 <li>Requires NO leaks.</li> |
|
576 <li>A single buffer overflow can be enough to start this exploitat… |
|
577 <li>Mmap chunk heap exploitation technique, which is not discussed… |
|
578 </ul> |
|
579 </p> |
|
580 |
|
581 <h3> |
|
582 Cons |
|
583 </h3> |
|
584 <p> |
|
585 |
|
586 <ul> |
|
587 <li>This vulnerability does require the ability to overwrite the s… |
|
588 <li>Known <b>relative</b> location of the overwritten … |
|
589 <li>Full RELRO or static compilation would prevent this attack fro… |
|
590 <li>The LibC (or other library) version being attacked must be kno… |
|
591 <li>Fairly good control over the size of allocations in order to g… |
|
592 </ul> |
|
593 |
|
594 Being able to overwrite the size of an <i>mmap</i> chunk is … |
|
595 </p> |
|
596 |
|
597 <h3> |
|
598 POC |
|
599 </h3> |
|
600 <p> |
|
601 Want to see an actual POC? As part of documenting this technique, the Gi… |
|
602 </p> |
|
603 |
|
604 <h2> |
|
605 Conclusion |
|
606 </h2> |
|
607 |
|
608 <p> |
|
609 Overall, this is an incredible technique for gaining code execution, alt… |
|
610 </p> |
|
611 |
|
612 <p> |
|
613 Major S/O's to the <a href="https://dayzerosec.com/">Day[0]</a&… |
|
614 </p> |
|
615 </description><guid isPermaLink="false">https://maxwelldulin.com/BlogPos… |
|
616 Introduction |
|
617 </h2> |
|
618 |
|
619 <p> |
|
620 Have you ever discovered something amazing only to later realize that so… |
|
621 </p> |
|
622 |
|
623 <p> |
|
624 When I started looking for new ways to exploit the allocator via the <… |
|
625 only to realize that there is a <i>fastbin</i> variant of t… |
|
626 </p> |
|
627 |
|
628 <p> |
|
629 This post will (hopefully) have a POC in <a href="https://github.com… |
|
630 </p> |
|
631 |
|
632 <p> |
|
633 Before we get to the meat of the technique, we will go over how the heap… |
|
634 </p> |
|
635 |
|
636 <h2> |
|
637 Chunks |
|
638 </h2> |
|
639 |
|
640 <p> |
|
641 Chunks are the main object that users interact with. There are two main … |
|
642 <div style="width: 98%; font-size:80%; text-align:center; float : lef… |
|
643 |
|
644 |
|
645 The first field is the size of the previous chunk (prev_size). This is o… |
|
646 </p> |
|
647 |
|
648 <p> |
|
649 On an allocated (non-free) chunk, the third and fourth field are used as… |
|
650 </p> |
|
651 |
|
652 <h2> |
|
653 Bins |
|
654 </h2> |
|
655 |
|
656 <p>When using Malloc, chunks that are freed are put into a local s… |
|
657 </p> |
|
658 |
|
659 <p> |
|
660 There are a multiple kinds of bins for different sizes and situations. A… |
|
661 </p> |
|
662 |
|
663 <h3> |
|
664 Fastbin |
|
665 </h3> |
|
666 |
|
667 <p> |
|
668 Prior to version 2.26 (current at 2.33), the fastbin was the first locat… |
|
669 </p> |
|
670 |
|
671 <p> |
|
672 Fastbins use a <i>singly linked list</i>, while several of t… |
|
673 </p> |
|
674 |
|
675 <p> |
|
676 Only fastbins are necessary for understanding how this technique works. … |
|
677 </p> |
|
678 |
|
679 <h2>Arenas</h2> |
|
680 |
|
681 <p> |
|
682 Arenas are a <code>struct</code> that is shared between thre… |
|
683 </p> |
|
684 |
|
685 <p> |
|
686 A single threaded process has a single arena called the <i>main ar… |
|
687 </p> |
|
688 |
|
689 <h3> |
|
690 Non-Main Arena Bit |
|
691 </h3> |
|
692 |
|
693 <p> |
|
694 First, we need to learn about the third bit of the <i>size</i&g… |
|
695 </p> |
|
696 |
|
697 <h3> |
|
698 Finding the Arena |
|
699 </h3> |
|
700 |
|
701 <p> |
|
702 <div style="width: 500px; font-size:80%; text-align:center; padding: … |
|
703 The <a href="https://elixir.bootlin.com/glibc/glibc-2.23/source/mallo… |
|
704 <pre> |
|
705 #define arena_for_chunk(ptr) \ |
|
706 chunk_non_main_arena (ptr) ? \ |
|
707 heap_for_ptr (ptr)->ar_ptr : \ |
|
708 &main_arena |
|
709 </pre> |
|
710 </p> |
|
711 |
|
712 <p> |
|
713 The else (second part of the conditional from the <a href="https://ww… |
|
714 </p> |
|
715 |
|
716 <p> |
|
717 The first part of the conditional (line #3 above) is for a <i>non… |
|
718 <pre> |
|
719 #define heap_for_ptr(ptr) \ |
|
720 ((heap_info *) \ |
|
721 ((unsigned long) (ptr) & \ |
|
722 ~(HEAP_MAX_SIZE - 1))) \ |
|
723 </pre> |
|
724 </p> |
|
725 |
|
726 <p> |
|
727 The <code>heap_for_ptr</code> macro takes the chunk being fr… |
|
728 </p> |
|
729 |
|
730 <p> |
|
731 This is quite clever! The user will always have a pointer to the malloc … |
|
732 </p> |
|
733 |
|
734 <p> |
|
735 To wrap this up, here are the important notes: |
|
736 <ul> |
|
737 <li>The <code>arena_for_chunk</code> macro gets the ar… |
|
738 <li> The <i>non-main arena</i> bit specifies which fun… |
|
739 <li>The <i>main arena</i> is stored in a global variab… |
|
740 </ul> |
|
741 |
|
742 For more information on GLibC arenas, sploitfun covers it extensively &l… |
|
743 </p> |
|
744 |
|
745 <h2> |
|
746 Flow of the Attack |
|
747 </h2> |
|
748 <p> |
|
749 The attack writes the pointer of a chunk being freed to a nearly arbitra… |
|
750 </p> |
|
751 |
|
752 <p> |
|
753 For the attack itself, it can be broken up into several stages: |
|
754 |
|
755 <ul> |
|
756 <li>Heap Feng Shui (aligning controllable data with <code>he… |
|
757 <li>Creating a fake <code>heap_info</code> and arena&… |
|
758 <li>Corrupting a fastbin sized chunk</li> |
|
759 <li>Trigger the write via freeing the altered chunk</li> |
|
760 </ul> |
|
761 |
|
762 The steps for this attack will be broken down in the sections below. |
|
763 </p> |
|
764 |
|
765 <h2> |
|
766 Heap Feng Shui |
|
767 </h2> |
|
768 <p> |
|
769 As in the original House of Mind, our main goal is to create a fake aren… |
|
770 </p> |
|
771 |
|
772 <p> |
|
773 From looking at the macro <code>heap_for_ptr</code> (shown a… |
|
774 </p> |
|
775 |
|
776 <h3> |
|
777 Alignment of Allocations |
|
778 </h3> |
|
779 <p> |
|
780 By allocating a large amount of chunks from the heap (ensure the size of… |
|
781 All we have to do is manipulate the heap so that the |
|
782 attacker controls the area of memory that the corrupted chunk is aligned… |
|
783 </p> |
|
784 |
|
785 <p> |
|
786 The <code>HEAP_MAX_SIZE</code> value varies depending on man… |
|
787 </p> |
|
788 |
|
789 <p> |
|
790 Once we have a chunk at the proper location lined up, we need to setup t… |
|
791 </p> |
|
792 |
|
793 <h2> |
|
794 Setting Up Fake Heap_info |
|
795 </h2> |
|
796 |
|
797 <p> |
|
798 <pre> |
|
799 typedef struct _heap_info |
|
800 { |
|
801 malloc_state ar_ptr; // Arena |
|
802 ... |
|
803 } |
|
804 </pre> |
|
805 |
|
806 Once we have control of the aligned memory necessary for a <code>… |
|
807 </p> |
|
808 |
|
809 <h2> |
|
810 Fake Arena |
|
811 </h2> |
|
812 |
|
813 <h3> |
|
814 Fake Arena Location |
|
815 </h3> |
|
816 |
|
817 <p> |
|
818 From here, we will work backwards from the WRITE to the get to the prop… |
|
819 </p> |
|
820 |
|
821 <p> |
|
822 Because the fake arena is controlled directly by us and can be set to an… |
|
823 </p> |
|
824 |
|
825 <h3> |
|
826 Arena Writing Offset |
|
827 </h3> |
|
828 <p> |
|
829 <pre> |
|
830 struct malloc_state |
|
831 { |
|
832 mutex_t mutex; |
|
833 int flags; // Formly max_fast |
|
834 |
|
835 mfastbinptr fastbinsY[NFASTBINS]; // Fastbins |
|
836 ... |
|
837 } |
|
838 </pre> |
|
839 Besides the location of the arena, the writing of the chunk to a fastbin… |
|
840 </p> |
|
841 |
|
842 <p> |
|
843 Finally, we can deal with the fastbins offset itself. When the chunk is … |
|
844 </p> |
|
845 |
|
846 <p> |
|
847 When choosing the location of the arena, the offset (to overwrite the pr… |
|
848 </p> |
|
849 |
|
850 <h3> |
|
851 Numerical Example |
|
852 </h3> |
|
853 <p> |
|
854 Let's assume our target is the address <code>0x5555554444</code… |
|
855 </p> |
|
856 |
|
857 <p> |
|
858 At first, the subtraction on the location of the arena does not seem int… |
|
859 </p> |
|
860 |
|
861 <h3> |
|
862 Fixing the Size Sanity Check |
|
863 </h3> |
|
864 <p> |
|
865 <pre> |
|
866 if next_chunk_size <= 0x10 or |
|
867 next_chunk_size >= arena->system_mem |
|
868 |
|
869 Crash |
|
870 </pre> |
|
871 |
|
872 Using the fastbin variant of the House of Mind on recent versions of Lib… |
|
873 </p> |
|
874 |
|
875 <p> |
|
876 For the smaller end, the size of the <i>next chunk</i> needs… |
|
877 </p> |
|
878 |
|
879 <p> |
|
880 The validation on the larger side is a little more complicated though. B… |
|
881 </p> |
|
882 |
|
883 <p> |
|
884 Once you find an alignment for the arena that has a proper value at the … |
|
885 </p> |
|
886 |
|
887 <h2> |
|
888 Corrupting a Fastbin Chunk |
|
889 </h2> |
|
890 |
|
891 <p> |
|
892 <div style="width: 500px; font-size:80%; text-align:center; float: ri… |
|
893 In order to force a fake arena to be used, we must free a chunk! So, wha… |
|
894 <ul> |
|
895 <li>Use the correct chunk size. This comes down to three things: |
|
896 <ul> |
|
897 <li>Setting up a size of the chunk being freed for the proper offs… |
|
898 <li>Setting the chunk size to align with a valid <code>next_… |
|
899 <li>Set the non-main arena bit (bit #3 as shown in figure 1) for a… |
|
900 </li> |
|
901 </ul> |
|
902 </li> |
|
903 <li>The chunk MUST align down to the <code>HEAP_MAX_SIZE<… |
|
904 <li>Use the heap value being written in a smart way.</li> |
|
905 </ul> |
|
906 |
|
907 |
|
908 Everything above has already been discussed in previous sections besides… |
|
909 </p> |
|
910 |
|
911 <h3> |
|
912 Where to Write? |
|
913 </h3> |
|
914 <p> |
|
915 This is a WRITE-WHERE primitive. An attacker fully controls the <i>… |
|
916 </p> |
|
917 |
|
918 <p> |
|
919 This primitive is usually a step in the chain, not the full exploit itse… |
|
920 </p> |
|
921 |
|
922 <p> |
|
923 The value being written is a heap memory pointer. Because this is a poin… |
|
924 </p> |
|
925 |
|
926 <h2> |
|
927 Boom Goes the Dynamite (Free) |
|
928 </h2> |
|
929 <p> |
|
930 <center><div style="width: 85%; font-size:80%; text-align:cente… |
|
931 |
|
932 At this point, we have created the <code>heap_info</code> st… |
|
933 </p> |
|
934 |
|
935 <h2> |
|
936 Profit |
|
937 </h2> |
|
938 <p> |
|
939 Once the chunk has been written, you can now use this to cause even more… |
|
940 </p> |
|
941 |
|
942 |
|
943 <h2> |
|
944 Pros & Requirements |
|
945 </h2> |
|
946 |
|
947 <p> |
|
948 This attack allows for a WRITE-WHERE primitive of a heap pointer. This a… |
|
949 </p> |
|
950 <h3> |
|
951 Pros |
|
952 </h3> |
|
953 <p> |
|
954 <ul> |
|
955 <li> |
|
956 Works on all versions of Malloc! The bulk of techniques are version lock… |
|
957 </li> |
|
958 <li>Only requires a single byte controlled value overflow of the s… |
|
959 <li>Writes a large value to a nearly arbitrary location. This can … |
|
960 <li> |
|
961 Writes a heap pointer, which could be used in a similar way to the <a… |
|
962 </li> |
|
963 <li>If the vulnerability for corrupting the chunk can be triggered… |
|
964 </ul> |
|
965 </p> |
|
966 |
|
967 <h3> |
|
968 Requirements |
|
969 </h3> |
|
970 <p> |
|
971 Instead of a cons section, below is a list of requirements for this to w… |
|
972 <ul> |
|
973 <li>Ability to corrupt fastbin sized chunk size field. A single by… |
|
974 <li>Known location to write to (fake arena location). This may req… |
|
975 |
|
976 <li>Ability to create a fake <code>heap_info</code> st… |
|
977 <ul> |
|
978 <li>An attacker needs to know their relative location on the heap … |
|
979 <li>An attacker must be able to allocate a significant amount of h… |
|
980 </li> |
|
981 </ul> |
|
982 |
|
983 <li>The overflown chunk MUST be in the <i>main arena</i&g… |
|
984 <li>The next chunk (of the freed fastbin chunk) must be larger tha… |
|
985 <li>The fake arena <code>system_mem</code> value of th… |
|
986 <li>With versions using TCache (2.26+), the TCache bin needs to be… |
|
987 </ul> |
|
988 |
|
989 Although this feels like a lot of requirements, some of these are trivia… |
|
990 </p> |
|
991 |
|
992 <h2> |
|
993 Future Work |
|
994 </h2> |
|
995 |
|
996 <p> |
|
997 Heap exploitation techniques are awesome, but vastly complicated. Becau… |
|
998 </p> |
|
999 |
|
1000 <h2> |
|
1001 Conclusion |
|
1002 </h2> |
|
1003 <p> |
|
1004 This went from the heart-pounding <i>new discovery</i> to a … |
|
1005 </p> |
|
1006 <p> |
|
1007 Feel free to reach out to me (contact information is in the footer) if y… |
|
1008 </p></description><guid isPermaLink="false">https://maxwelldulin.c… |
|
1009 The web is full of user reviewed rating websites that we trust with our … |
|
1010 </p> |
|
1011 |
|
1012 <p> |
|
1013 But, what if you could <i>sway</i> the rating system? On Yel… |
|
1014 </p> |
|
1015 |
|
1016 <h2> |
|
1017 Vulnerability - The Case of Bad Input Validation |
|
1018 </h2> |
|
1019 |
|
1020 <h3> |
|
1021 Juice Shop Version |
|
1022 </h3> |
|
1023 |
|
1024 <p> |
|
1025 The company asked to remain anonymous and to have no screenshots of the … |
|
1026 </p> |
|
1027 |
|
1028 <p> |
|
1029 OWASP Juice Shop has a <i>customer feedback</i> functionalit… |
|
1030 </p> |
|
1031 |
|
1032 <center><div style="width:95%; font-size:80%; text-align:center… |
|
1033 |
|
1034 <p> |
|
1035 By changing the <u>rating</u> to a non-expected value, such … |
|
1036 The challenge for this is titled <a href="https://github.com/apox64/O… |
|
1037 </p> |
|
1038 |
|
1039 <h3> |
|
1040 The Actual Site |
|
1041 </h3> |
|
1042 |
|
1043 <p> |
|
1044 The target website stores information about a location and allows for ra… |
|
1045 </p> |
|
1046 |
|
1047 <p> |
|
1048 This seemed like fertile testing ground to go through, as I remembered t… |
|
1049 </p> |
|
1050 |
|
1051 <h3> |
|
1052 Impact of Bug |
|
1053 </h3> |
|
1054 |
|
1055 <p> |
|
1056 Most rating systems are calculated by taking the <i>average</i&… |
|
1057 </p> |
|
1058 |
|
1059 <p> |
|
1060 In a community that relies upon the reviews of others, being able to hav… |
|
1061 </p> |
|
1062 |
|
1063 <h2> |
|
1064 Disclosure |
|
1065 </h2> |
|
1066 |
|
1067 <p> |
|
1068 From previous experiences, I am nervous when trying to report security … |
|
1069 </p> |
|
1070 |
|
1071 <p> |
|
1072 My initial communication with the company was to a senior engineer over … |
|
1073 </p> |
|
1074 |
|
1075 <p> |
|
1076 Since the initial LinkedIn message only allows for only 300 characters, … |
|
1077 </p> |
|
1078 |
|
1079 <p> |
|
1080 After this, the CTO of the company added me on LinkedIn and thanked me f… |
|
1081 </p> |
|
1082 |
|
1083 <h2> |
|
1084 Conclusion |
|
1085 </h2> |
|
1086 |
|
1087 <p> |
|
1088 Vulnerabilities are not always complicated injection attacks. Commonly, … |
|
1089 </p> |
|
1090 |
|
1091 <p> |
|
1092 Feel free to reach out to me (contact information is in the footer) if y… |
|
1093 </p></description><guid isPermaLink="false">https://maxwelldulin.c… |
|
1094 The root cause of many vulnerabilities are from the mishandling of numbe… |
|
1095 </p> |
|
1096 |
|
1097 <p> |
|
1098 Recently quite a few findings have caught my attention that fall into th… |
|
1099 </p> |
|
1100 |
|
1101 <p> |
|
1102 Yes, yes they can! GCC and Clang have compilation flags to find several … |
|
1103 </p> |
|
1104 |
|
1105 <h2> |
|
1106 Bug Classes |
|
1107 </h2> |
|
1108 <p> |
|
1109 The goal is to change a number in a way that the program does not expect… |
|
1110 <ul> |
|
1111 <li><b>Overflow/underflow</b>: Integers will simply wr… |
|
1112 <li><b>Truncation</b>: Shrinking the storage capacity … |
|
1113 <li><b>Signedness conversion</b>: Numbers are either s… |
|
1114 </ul> |
|
1115 </p> |
|
1116 |
|
1117 <!-break--> |
|
1118 |
|
1119 <h2> |
|
1120 Static Analysis |
|
1121 </h2> |
|
1122 |
|
1123 <p> |
|
1124 Two of these bug classes can be determined at <i>compile time</… |
|
1125 </p> |
|
1126 |
|
1127 <h3> |
|
1128 Truncation |
|
1129 </h3> |
|
1130 |
|
1131 <p> |
|
1132 |
|
1133 <div style="width:100%; box-sizing: border-box; display: flex; border… |
|
1134 <div style = "flex: 45%; margin: 6px" |
|
1135 ><img src="https://live.staticflickr.com/65535/51444718168_8df5903… |
|
1136 <br/> |
|
1137 <div style = "flex: 45%; margin: 6px"><img src="https://live.st… |
|
1138 </div> |
|
1139 </p> |
|
1140 |
|
1141 <p> |
|
1142 Using the <code>Wconversion</code> flag during compilation w… |
|
1143 </p> |
|
1144 |
|
1145 <p> |
|
1146 For example, code for the <i>truncation </i> case can seen i… |
|
1147 <br/><br/><br/> |
|
1148 </p> |
|
1149 |
|
1150 <p> |
|
1151 <center> |
|
1152 <div style="border: 1px solid black; margin: 10px; border-radius: 10p… |
|
1153 <img src="https://live.staticflickr.com/65535/51444209760_44eca2b1ff_… |
|
1154 <center>Figure 3 - Truncation warning message</center></d… |
|
1155 </center> |
|
1156 </p> |
|
1157 |
|
1158 <p> |
|
1159 Another interesting item to consider is the case with <code>float&… |
|
1160 </p> |
|
1161 |
|
1162 <h3> |
|
1163 Signedness |
|
1164 </h3> |
|
1165 <p> |
|
1166 The <code>Wconversion</code> flag can also be used in the de… |
|
1167 |
|
1168 <center> |
|
1169 <div style="border: 1px solid black; margin: 10px; border-radius: 10p… |
|
1170 <img src="https://live.staticflickr.com/65535/51442547757_542b8beab9_… |
|
1171 <center>Figure 4 - Signedness conversion warning message </cent… |
|
1172 </center> |
|
1173 </p> |
|
1174 |
|
1175 <h3> |
|
1176 Static Analysis Wrap Up |
|
1177 </h3> |
|
1178 <p> |
|
1179 These flags only check for <i>implicit</i> conversions. Some… |
|
1180 </p> |
|
1181 |
|
1182 <p> |
|
1183 Although we have only been using <code>Wconversion</code> fo… |
|
1184 </p> |
|
1185 |
|
1186 <h2> |
|
1187 Dynamic Instrumentation |
|
1188 </h2> |
|
1189 <p> |
|
1190 The static analysis is likely to pull up mostly false positives with a f… |
|
1191 </p> |
|
1192 |
|
1193 <h3> |
|
1194 ftrapv |
|
1195 </h3> |
|
1196 <p> |
|
1197 This option generates traps for signed overflows on addition, subtractio… |
|
1198 <pre> |
|
1199 int main(){ |
|
1200 int a = 0x7FFFFFFF; |
|
1201 a = a + 1; |
|
1202 printf("Value: %d\n", a); |
|
1203 } |
|
1204 </pre> |
|
1205 </p> |
|
1206 |
|
1207 <p> |
|
1208 The code above will cause an integer overflow when the line <code>… |
|
1209 </p> |
|
1210 |
|
1211 <p> |
|
1212 It should also be noted that this flag detects <a href="https://githu… |
|
1213 </p> |
|
1214 |
|
1215 <h3> |
|
1216 fsanitize=integer |
|
1217 </h3> |
|
1218 <p> |
|
1219 The <a href="https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.h… |
|
1220 </p> |
|
1221 |
|
1222 <p> |
|
1223 While the <code>ftrapv</code> catches only <i>signed&l… |
|
1224 </p> |
|
1225 |
|
1226 <p> |
|
1227 Besides the discovering of overflow/underflows in programs, we can find … |
|
1228 </p> |
|
1229 |
|
1230 <p> |
|
1231 Let's see this in action though! We will use the original signedness iss… |
|
1232 </p> |
|
1233 |
|
1234 <p> |
|
1235 <center> |
|
1236 <div style="border: 1px solid black; margin: 10px; border-radius: 10p… |
|
1237 <img src=" |
|
1238 https://live.staticflickr.com/65535/51444688718_88c594fa3e_b.jpg" width=… |
|
1239 <center>Figure 5 - Truncation Conversion Crash</center></… |
|
1240 </center> |
|
1241 </p> |
|
1242 |
|
1243 <h2> |
|
1244 Are We Missing Anything? |
|
1245 </h2> |
|
1246 <p> |
|
1247 We have mentioned dynamic and static checks for integer overflows/underf… |
|
1248 </p> |
|
1249 |
|
1250 <p> |
|
1251 When a float is overflowed in C, it goes to <a href="https://github.c… |
|
1252 </p> |
|
1253 |
|
1254 <p> |
|
1255 An additional uncaught bug is float truncation. For instance, the conver… |
|
1256 </p> |
|
1257 |
|
1258 <p>Knowing about floats becoming <code>inf</code> and… |
|
1259 </p> |
|
1260 |
|
1261 <h2> |
|
1262 Conclusion |
|
1263 </h2> |
|
1264 <p> |
|
1265 When trying to find vulnerabilities, any help from automated tools or in… |
|
1266 </p> |
|
1267 |
|
1268 <p> |
|
1269 I hope the knowledge of these compilation warnings and dynamic instrumen… |
|
1270 |
