Category Archives: Application Security

Application Security, what is not developed using a server-side language

Format string exploitations

I’ve been interested in security quite some time and I came to a conclusion -that I read from other guys yesterday as well- but it is common to most people out there. When you develop an application, most of the times this application takes input and reacts to it. When it comes to security, this application -under any circumstances- must filter input and distinct between what is allowed and what is not. What is not allowed may be invalid strings for example or specially crafted strings that will exploit a vulnerability thus “adding” new features to the application such as reverse TCP shells, privilege escalations, whatever the attacker feels like.

In that aspect, a vulnerability called format string exploitation exists but I haven’t seen one for a while up until May 2012 where a guy found a format string exploitation. More info about this vulnerability can be found here.

So, what is a format string exploitation? It is mentioned a lot and in various sources that strings should be treated as strings. Mistreating strings may lead to “random” features that certainly were unintentional and unwanted.

Historically talking, format string exploitations has taken by surprise the security community during 2000. Like every new class of vulnerabilities, what followed format string vulnerabilities was a huge amount of bugs and exploits. Format string vulnerabilities are programming bugs firstly and then security threats but I’ll come back to this later.

A format function, such as printf() in C, is a function that takes data and some conversion parameters and prints the data in a human readable format. It must be clear that what is human readable can be in most cases understood by humen with some knowledge.  The most common example of a format string vulnerability lies in this code

char theVuln (char *theExploit){
printf(theExploit);
}

The above block of code prints data without formatting it. If a user inputs “Hello world” everything will look fine, the vulnerability will not be exploited but there will be a vulnerability.  To correct the vulnerability the developer should add a formatting parameter to the function. The function should look like

printf("%s",theExploit);

In order to understand how and why this vulnerability works and what happens when exploited it is necessary to dive a little deeper, in order to do so I will refer quickly to stacks.

Stacks are data structures that are built in such a way so that the last member added to a stack is able to leave the stack first, because of this “behaviour” stacks are called Last In First Out or in short LIFO. When someone is dealing with stacks it is said that he is pushing -adding to the stack- data or popping -removing from the stack- data. It is obvious that the two most common commands about stacks are POP and PUSH. It is thus obvious that even CPUs have commands so that they are able to deal with stacks. The prevalent CPU architecture which is Intel x86 has two commands known as POP and PUSH. They are called OPCODES and Intel offers a range of OPCODES when it comes to stacks but this is out of scope. There are also other data structures such as lists, queues etc but I won’t refer to them here.

When we exeucte a program the operating system “creates” two data structures. The first one is a queue, which stores all the code and the data that doesn’t change during execution mostly. Queues grow upwards (meaning to higher memory ranges) while stacks grows downwards. Stacks are used to store functions mostly. The exact actions in a stack, such as when it pushes the parameters of the function, in what order etc are out of scope in this article :)

When I was referring to the printf I was referring to a function. Since this is a function it is obvious from what I stated before that it is pushed onto a stack. Printf is a dynamic library thus it is not embedded in every executable but is loaded by the OS and the OS points the executable to the address where the printf function “lives”.

printf("This is a %d decimal while this a %s string",theDecimal, theString);

Diving into the stack of the above printf the first parameter we locate the parameters in reverse order, meaning that the last parameter is found first and the first last. This is not clear enough but if you deal a little bit with functions and stack you’ll get it.

Attacking the vulnerable function is easy. The attacker can input whatever he wants -for example %n %x etc- and check the output which may indicate memory ranges thus allowing further exploitation via a shell loaded into an environmental variable etc. It is possible to crash the program, it happened in Linux where the program used coredump which allowed for an insight.

The main problem is -if the input is for example multiple %s- the attacker may access data not intended for him to read or not intended for anyone to see, read an illegal address not mapped, get an address range etc thus extracting a safe assumption of how the vulnerability works or what the program does which is definitely unwanted. Exploiting such a vulnerability a few times, there is a high chance of crashing the program thus leading to a DoS attack.

Attacking further than that, an attacker can see any memory range he wants or overwriting arbitrary memory addresses thus executing our own code. By the way and since I mentioned this, the CPU does not discern between data and OPCODES and if he is fed OPCODES when he should take data he is happily executing the OPCODES. 😛 The most common parameter is %08x which leads steadily towards the top of the stack enabling us to map the whole stack. Last thing to mention is that buffer overflows sometimes offer limitations, format string exploitations allow an attacker to overcome these limitations.

Exploiting such vulnerabilities depends heavily on the type of the vulnerability since format string vulnerabilities is a class of vulnerabilities. There may be as simple as buffer overflows, may just need string stretching or may be highly complicated and need environmental variables to hold the exploit etc.

Reversing malware, a little story.

I’ve always been a fan of reverse engineering, not because of cracking, I don’t really care about cracking… Well, let’s be honest I crack software from time to time, especially when I need it but I don’t have the money to buy it but this is out of the scope of this blog. I like reverse engineering because it allows you a deep inspection of how things work and in some cases you can make the program suit your needs by adding extra features etc. From times to times, I like to reverse malwares, just to see how they work. I generally find malware developers talented, plus I like to see what’s going on under the hood.

Some days ago a guy who works in a local computer repair shop mailed me an image of a “computer with a strange behaviour” opening IE and entering a certain page but then blocking the user from everything, even after restarting it would boot normally and then again the same thing, which didn’t happen in safe boot. I asked a copy of the client’s HDD but I received a negative since it was the client’s and it may had whatever inside. I asked for more information about the client’s computer. 32-bit Windows XP, possibly illegal copy of the OS, no firewall running, not updated. 106 gb of illegally downloaded movies, and software, user said the last visited page was a porn site.  And then another user came up with the same malware, Windows 7 this time, watching porn too. I kept contact with these guys for the next five days. After these five days, they had 10 computers with the same problem, 2 were windows 7, one didn’t watch porn but downloaded illegal software from torrents. I quickly set up a honeypot, installed windows XP, installed a couple debuggers I use a lot, Wireshark, didn’t allow it to update, killed the firewall, didn’t install any antivirus and I started visiting porn sites, I visited A LOT, randomly clicked videos, advertisements… Ok, pause… Do you want to know how I made my penis 30 inches long? I cut it in half dipshit advertisers. After one day I finally was infected after being asked to download and execute an executable. After every restart the malware would start IE with that page asking for money to disinfect. Cool story bro but I am not willing to pay for disinfecting my honeypot. It wouldn’t start though in safe mode.

I went in safe mode and took a copy of the wireshark logs file AND a copy of the registry. I was pretty sure that the malware executed some cmd argument that made IE load that page and somehow made it open full screen, like games do. First thing I noticed in registry was that there was an entry that executed a batch on system boot. Grabbed a copy of the batch and cleaned the registry entry, which was two entries actually in

	
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Both of these entries have the problem of not starting under safe mode, which allowed me to go further. Started normally, everything worked like a charm BUT the virus was still there. The batch was simply a command line argument which executed a .exe file. Grabbed the .exe and loaded it into IDA Pro.

The first thing I noticed was that it didn’t have any antireversing protection. No isDebuggerPresent(), no packer, no obfuscation, not even a checksum. That made my life reaaally easy.  Time to see the internals. The executable had a lot of hardcoded strings, such as the registry values, and some other, possibly debugging strings since they were mostly “Failed to do that”.

The internals… The program was executed the first time by the user, it would call a function, I called it in IDA Pro “IsRegistryCreated” which checked if the registry key was set. If not, it would return 0.  It had a conditional JMP that would set the value of the registry for the batch file(another function call, no parameters). Then it would call another function checking if the batch file existed. Again a Boolean function, it would return 0 if it didn’t, in my case it returned 1. If it was 0, another conditional JMP was taken which called another function which had only one parameter, the path to the batch file, which was again hardcoded and looked like %SYSTEM%/blah/blah/blah . If everything was set the malware called system() and pass it the parameter to the IE and the page, making it fullscreen, “disabling” keys and mouse using two simple things. The mouse couldn’t overpass the borders of the screen (thus not allowing the user to press the X button and terminate the program),  functions inside <windows.h> I think. In order to kill the keys it used the _getch() like someone would do using a keylogger but it checked the input and if it found a match of Ctrl+Alt+Del then it would do nothing(actually block it entirely), if the user used anything other such as [a-z/A-Z,0-9/~-+] it was allowed so that the user could insert the paysafe card credentials and pay for the disinfection. If the user inserted the credentials, the malware would contact a remote host from a .php file and the file would return 1 if the amount and the credentials were right and 0 if not. Then the malware would just delete the batch and the registry entry and prompt the user for a restart.

Summing up, it turned out that about 5000 users had been infected, my sources tell me that the developer was busted. Btw, the host carrying the infection was located somewhere in Romania. Anyway, although it didn’t have any difficulties reversing this, it highlighted again that you don’t need 0day exploits to own someone, you need to find someone fool enough and make him trust you.

End of message 😛

Reverse engineering and processors

This is a post of intellectual masturbation. Also it is a post I’ve written some time ago.  Before you start reading I think that reverse engineering is an artform :)

I met a guy, he said that he is developing anti-reversing techniques, obfuscating code, injecting assembly junk code just to hide the main entry point of the program,  he is even deploying code to detect when a debugger or a dissasembler is running and obfuscate some more his code.

The other day I met another guy. We had a conversation about antireversing techniques.  He was a Microsoft fan boy. Actually he was THE Microsoft fan boy. He got a Macbook Pro and he installed Windows.  Note here that I am not an Apple fan boy but if I had to choose between Mac and Windows, I’d stick with Mac. Continue reading