Professional Documents
Culture Documents
Defenses
CS Department
City University of Hong Kong
Advanced
Hijacking Attacks
FP1
method #1
Object T
data
buf[256] vtable
ptr
An Information Security Short Course
4
(Summer 2020) object T
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
FP1
method #1
Object T
shell
code
• After overflow of buf we have:
data
buf[256] vtable
ptr
An Information Security Short Course
5
(Summer 2020) object T
A reliable exploit?
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...");
overflow-string = unescape(“%u2332%u4276%...”);
cause-overflow( overflow-string ); // overflow buf[ ]
</SCRIPT>
???
data
buf[256] vtable
ptr
shellcode
6
An Information Security Short Course
(Summer 2020)
Heap Spraying [SkyLined 2004]
heap
vtable
heapShort
An Information Security spray area
Course
7
(Summer 2020)
Javascript heap spraying
var nop = unescape(“%u9090%u9090”)
while (nop.length < 0x100000) nop += nop
non-writable pages
13
General Race Condition Problem
● Time-Of-Check To
Time-Of-Use
(TOCTTOU)
● Occurs when
checking for a
condition before
using a resource.
17
A more useful example
● Root-owned Set-UID
program.
● Effective UID : root
● Real User ID : seed
● A Set-UID program that checks if you have the right to write to a file.
● Specially, it writes to a file in the /tmp directory (world-writable)
● The program should check if the real User ID match with the ID of the owner
● access() checks the real User ID
● open() only checks the effective User ID
● access() is the predicate that is essential to prevent unauthorized writes
● Like the account withdrawn example
● Vulnerability risk between check (access) and execution (open with write flag)
● The question is: how can an attack leverage this vulnerability?
18
Attack goal
Goal : To write to a protected file like
/etc/passwd.
To achieve this goal we need to make
/etc/passwd as our target file without
changing the file name in the program.
● Symbolic link (soft link) helps us to achieve it.
another file.
19
Background on context switch
20
Attack logic
To win the race condition
(TOCTTOU window), we
need two processes :
● Run vulnerable
program in a loop
21
Understanding the attack
Let’s consider steps for two Attack program runs: A1,A2,A1,A2…….
22
Countermeasures
● Atomic Operations: To eliminate the window between
check and use
● Repeating Check and Use: To make it difficult to win
the “race”.
● Sticky Symlink Protection: To prevent creating
symbolic links.
● Principles of Least Privilege: To prevent the damages
after the race is won by the attacker.
23
Atomic Operations
f = open(file ,O_WRITE | O_REAL_USER_ID
24
Repeating Check and Use
❸
❶
● When the sticky symlink protection is enabled, symbolic links inside a sticky
world-writable can only be followed when the owner of the symlink matches
either the follower or the directory owner.
26
Sticky Symlink Protection
28
Principle of Least Privilege
Right before opening
the file, the program
should drop its
privilege by setting
EID = RID