SOLUTION: ITS 831 University of the Cumberlands COSO Framework Paper

Format String Vulnerability Lab, assignment help

SEED Labs – Format String Vulnerability Lab 1Format String Vulnerability LabCopyrightc 2006 – 2014 Wenliang Du, Syracuse University.The development of this document is/was funded by three grants from the US National Science Foundation:Awards No. 0231122 and 0618680 from TUES/CCLI and Award No. 1017771 from Trustworthy Computing.Permission is granted to copy, distribute and/or modify this document under the terms of the GNU FreeDocumentation License, Version 1.2 or any later version published by the Free Software Foundation. A copyof the license can be found at http://www.gnu.org/licenses/fdl.html.1 Lab OverviewThe learning objective of this lab is for students to gain the first-hand experience on format-string vulnerabilityby putting what they have learned about the vulnerability from class into actions. The format-string vulnerabilityis caused by code like printf(user input), where the contents of variable of user inputis provided by users. When this program is running with privileges (e.g., Set-UID program), this printfstatement becomes dangerous, because it can lead to one of the following consequences: (1) crash theprogram, (2) read from an arbitrary memory place, and (3) modify the values of in an arbitrary memoryplace. The last consequence is very dangerous because it can allow users to modify internal variables of aprivileged program, and thus change the behavior of the program.In this lab, students will be given a program with a format-string vulnerability; their task is to developa scheme to exploit the vulnerability. In addition to the attacks, students will be guided to walk througha protection scheme that can be used to defeat this type of attacks. Students need to evaluate whether thescheme work or not and explain why.It should be noted that the outcome of this lab is operating system dependent. Our description anddiscussion are based on Ubuntu Linux. It should also work in the most recent version of Ubuntu. However,if you use different operating systems, different problems and issues might come up.2 Lab Tasks2.1 Task 1: Exploit the vulnerabilityIn the following program, you will be asked to provide an input, which will be saved in a buffer calleduser input. The program then prints out the buffer using printf. The program is a Set-UID program(the owner is root), i.e., it runs with the root privilege. Unfortunately, there is a format-string vulnerabilityin the way how the printf is called on the user inputs. We want to exploit this vulnerability and see howmuch damage we can achieve.The program has two secret values stored in its memory, and you are interested in these secret values.However, the secret values are unknown to you, nor can you find them from reading the binary code (forthe sake of simplicity, we hardcode the secrets using constants 0x44 and 0x55). Although you do not knowthe secret values, in practice, it is not so difficult to find out the memory address (the range or the exactvalue) of them (they are in consecutive addresses), because for many operating systems, the addresses areexactly the same anytime you run the program. In this lab, we just assume that you have already known theexact addresses. To achieve this, the program “intentionally” prints out the addresses for you. With suchknowledge, your goal is to achieve the followings (not necessarily at the same time): Crash the program.SEED Labs – Format String Vulnerability Lab 2 Print out the secret[1] value. Modify the secret[1] value. Modify the secret[1] value to a pre-determined value.Note that the binary code of the program (Set-UID) is only readable/executable by you, and there isno way you can modify the code. Namely, you need to achieve the above objectives without modifying thevulnerable code. However, you do have a copy of the source code, which can help you design your attacks./* vul_prog.c */#include<stdio.h>#include<stdlib.h>#define SECRET1 0x44#define SECRET2 0x55int main(int argc, char *argv[]){char user_input[100];int *secret;int int_input;int a, b, c, d; /* other variables, not used here.*//* The secret value is stored on the heap */secret = (int *) malloc(2*sizeof(int));/* getting the secret */secret[0] = SECRET1; secret[1] = SECRET2;printf(“The variable secret’s address is 0x%8x (on stack)n”,(unsigned int)&secret);printf(“The variable secret’s value is 0x%8x (on heap)n”,(unsigned int)secret);printf(“secret[0]’s address is 0x%8x (on heap)n”,(unsigned int)&secret[0]);printf(“secret[1]’s address is 0x%8x (on heap)n”,(unsigned int)&secret[1]);printf(“Please enter a decimal integern”);scanf(“%d”, &int_input); /* getting an input from user */printf(“Please enter a stringn”);scanf(“%s”, user_input); /* getting a string from user *//* Vulnerable place */printf(user_input);printf(“n”);/* Verify whether your attack is successful */printf(“The original secrets: 0x%x — 0x%xn”, SECRET1, SECRET2);printf(“The new secrets: 0x%x — 0x%xn”, secret[0], secret[1]);return 0;}SEED Labs – Format String Vulnerability Lab 3Hints: From the printout, you will find out that secret[0] and secret[1] are located on the heap,i.e., the actual secrets are stored on the heap. We also know that the address of the first secret (i.e., the valueof the variable secret) can be found on the stack, because the variable secret is allocated on the stack.In other words, if you want to overwrite secret[0], its address is already on the stack; your format stringcan take advantage of this information. However, although secret[1] is just right after secret[0],its address is not available on the stack. This poses a major challenge for your format-string exploit, whichneeds to have the exact address right on the stack in order to read or write to that address.2.2 Task 2: Memory randomizationIf the first scanf statement (scanf(“%d”, int input)) does not exist, i.e., the program does not askyou to enter an integer, the attack in Task 1 become more difficult for those operating systems that haveimplemented address randomization. Pay attention to the address of secret[0] (or secret[1]). When you runthe program once again, will you get the same address?Address randomization is introduced to make a number of attacks difficult, such as buffer overflow, formatstring, etc. To appreciate the idea of address randomization, we will turn off the address randomizationin this task, and see whether the format string attack on the previous vulnerable program (without the firstscanf statement) is still difficult. You can use the following command to turn off the address randomization(note that you need to run it as root):sysctl -w kernel.randomize_va_space=0After turning off the address randomization, your task is to repeat the same task described in Task 1, butyou have to remove the first scanf statement (scanf(“%d”, int input)) from the vulnerable program.How to let scanf accept an arbitrary number? Usually, scanf is going to pause for you to typeinputs. Sometimes, you want the program to take a number 0x05 (not the character ‘5’). Unfortunately,when you type ‘5’ at the input, scanf actually takes in the ASCII value of ‘5’, which is 0x35, rather than0x05. The challenge is that in ASCII, 0x05 is not a typable character, so there is no way we can type inthis value. One way to solve this problem is to use a file. We can easily write a C program that stores 0x05(again, not ‘5’) to a file (let us call it mystring), then we can run the vulnerable program (let us call ita.out) with its input being redirected to mystring; namely, we run “a.out < mystring”. Thisway, scanf will take its input from the file mystring, instead of from the keyboard.You need to pay attention to some special numbers, such as 0x0A (newline), 0x0C (form feed), 0x0D(return), and 0x20 (space). scanf considers them as separator, and will stop reading anything after thesespecial characters if we have only one “%s” in scanf. If one of these special numbers are in the address,you have to find ways to get around this. To simplify your task, if you are unlucky and the secret’s addresshappen to have those special numbers in it, we allow you to add another malloc statement before youallocate memory for secret[2]. This extra malloc can cause the address of secret values to change. Ifyou give the malloc an appropriate value, you can create a “lucky” situation, where the addresses of secretdo not contain those special numbers.The following program writes a format string into a file called mystring. The first four bytes consistof an arbitrary number that you want to put in this format string, followed by the rest of format string thatyou typed in from your keyboard./* write_string.c */#include <sys/types.h>SEED Labs – Format String Vulnerability Lab 4#include <stdio.h>#include <string.h>#include <sys/stat.h>#include <fcntl.h>int main(){char buf[1000];int fp, size;unsigned int *address;/* Putting any number you like at the beginning of the format string */address = (unsigned int *) buf;*address = 0x804b01c;/* Getting the rest of the format string */scanf(“%s”, buf+4);size = strlen(buf+4) + 4;printf(“The string length is %dn”, size);/* Writing buf to “mystring” */fp = open(“mystring”, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);if (fp != -1) {write(fp, buf, size);close(fp);} else {printf(“Open failed!n”);}}3 Guidelines3.1 What is a format string?printf (“The magic number is: %dn”, 1911);The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, which is replacedwith the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911. Inaddition to %d, there are several other format parameters, each having different meaning. The followingtable summarizes these format parameters:Parameter Meaning Passed as——————————————————————-%d decimal (int) value%u unsigned decimal (unsigned int) value%x hexadecimal (unsigned int) value%s string ((const) (unsigned) char *) reference%n number of bytes written so far, (* int) referenceSEED Labs – Format String Vulnerability Lab 53.2 The Stack and Format StringsThe behavior of the format function is controlled by the format string. The function retrieves the parametersrequested by the format string from the stack.printf (“a has value %d, b has value %d, c is at address: %08xn”,a, b, &c);Address ofFormat StringValue of aValue of bAdress of cprintf()’s internalpointerMoving in this directionStack Stack grows in this direction3.3 What if there is a miss-matchWhat if there is a miss-match between the format string and the actual arguments?printf (“a has value %d, b has value %d, c is at address: %08xn”,a, b); In the above example, the format string asks for 3 arguments, but the program actually provides onlytwo (i.e. a and b). Can this program pass the compiler?– The function printf() is defined as function with variable length of arguments. Therefore,by looking at the number of arguments, everything looks fine.– To find the miss-match, compilers needs to understand how printf() works and what themeaning of the format string is. However, compilers usually do not do this kind of analysis.– Sometimes, the format string is not a constant string, it is generated during the execution of theprogram. Therefore, there is no way for the compiler to find the miss-match in this case. Can printf() detect the miss-match?– The function printf() fetches the arguments from the stack. If the format string needs 3arguments, it will fetch 3 data items from the stack. Unless the stack is marked with a boundary,printf() does not know that it runs out of the arguments that are provided to it.SEED Labs – Format String Vulnerability Lab 6– Since there is no such a marking. printf() will continue fetching data from the stack. In amiss-match case, it will fetch some data that do not belong to this function call. What trouble can be caused by printf() when it starts to fetch data that is meant for it?3.4 Viewing Memory at Any Location We have to supply an address of the memory. However, we cannot change the code; we can onlysupply the format string. If we use printf(%s) without specifying a memory address, the target address will be obtainedfrom the stack anyway by the printf() function. The function maintains an initial stack pointer,so it knows the location of the parameters in the stack. Observation: the format string is usually located on the stack. If we can encode the target address inthe format string, the target address will be in the stack. In the following example, the format string isstored in a buffer, which is located on the stack.int main(int argc, char *argv[]){char user_input[100];… … /* other variable definitions and statements */scanf(“%s”, user_input); /* getting a string from user */printf(user_input); /* Vulnerable place */return 0;} If we can force the printf to obtain the address from the format string (also on the stack), we cancontrol the address.printf (“x10x01x48x08 %x %x %x %x %s”); x10x01x48x08 are the four bytes of the target address. In C language, x10 in a string tellsthe compiler to put a hexadecimal value 0x10 in the current position. The value will take up just onebyte. Without using x, if we directly put “10” in a string, the ASCII values of the characters ’1’and ’0’ will be stored. Their ASCII values are 49 and 48, respectively. %x causes the stack pointer to move towards the format string. Here is how the attack works if user input[] contains the following format string:”x10x01x48x08 %x %x %x %x %s”.SEED Labs – Format String Vulnerability Lab 7…Address of user_input [ ]0x10014808user_input [ ]%s%x%x%x%xPrint thisfor the 1st %xPrint thisfor the 4th %xFor %s: print out the contents pointed by this addressPrint out the contents at the address 0x10014808 using format-string vlunerability Basically, we use four %x to move the printf()’s pointer towards the address that we stored in theformat string. Once we reach the destination, we will give %s to print(), causing it to print out thecontents in the memory address 0x10014808. The function printf() will treat the contents as astring, and print out the string until reaching the end of the string (i.e. 0). The stack space between user input[] and the address passed to the printf() function is notfor printf(). However, because of the format-string vulnerability in the program, printf()considers them as the arguments to match with the %x in the format string. The key challenge in this attack is to figure out the distance between the user input[] and theaddress passed to the printf() function. This distance decides how many %x you need to insertinto the format string, before giving %s.3.5 Writing an Integer to Memory %n: The number of characters written so far is stored into the integer indicated by the correspondingargument.int i;printf (“12345%n”, &i); It causes printf() to write 5 into variable i. Using the same approach as that for viewing memory at any location, we can cause printf() towrite an integer into any location. Just replace the %s in the above example with %n, and the contentsat the address 0x10014808 will be overwritten. Using this attack, attackers can do the following:SEED Labs – Format String Vulnerability Lab 8– Overwrite important program flags that control access privileges– Overwrite return addresses on the stack, function pointers, etc. However, the value written is determined by the number of characters printed before the %n is reached.Is it really possible to write arbitrary integer values?– Use dummy output characters. To write a value of 1000, a simple padding of 1000 dummycharacters would do.– To avoid long format strings, we can use a width specification of the format indicators.4 SubmissionYou need to submit a detailed lab report to describe what you have done and what you have observed; youalso need to provide explanation to the observations that are interesting or surprising.

Order a unique copy of this paper
(550 words)

Approximate price: $22

Our Basic features
  • Free title page and bibliography
  • Plagiarism-free guarantee
  • Unlimited revisions
  • Money-back guarantee
  • 24/7 support
Our Options
  • Writer’s samples
  • Expert Proofreading
  • Overnight delivery
  • Part-by-part delivery
  • Copies of used sources
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

AcademicWritingCompany guarantees

Our customer is the center of what we do and thus we offer 100% original essays..
By ordering our essays, you are guaranteed the best quality through our qualified experts.All your information and everything that you do on our website is kept completely confidential.

Money-back guarantee

Academicwritingcompany.com always strives to give you the best of its services. As a custom essay writing service, we are 100% sure of our services. That is why we ensure that our guarantee of money-back stands, always

Read more

Zero-plagiarism tolerance guarantee

The paper that you order at academicwritingcompany.com is 100% original. We ensure that regardless of the position you are, be it with urgent deadlines or hard essays, we give you a paper that is free of plagiarism. We even check our orders with the most advanced anti-plagiarism software in the industry.

Read more

Free-revision guarantee

The Academicwritingcompany.com thrives on excellence and thus we help ensure the Customer’s total satisfaction with the completed Order.To do so, we provide a Free Revision policy as a courtesy service. To receive free revision the Academic writing Company requires that the you provide the request within Fifteen (14) days since the completion date and within a period of thirty (30) days for dissertations and research papers.

Read more

Privacy and Security policy

With Academicwritingcompan.com, your privacy is the most important aspect. First, the academic writing company will never resell your personal information, which include credit cards, to any third party. Not even your lecturer on institution will know that you bought an essay from our academic writing company.

Read more

Adherence to requirements guarantee

The academic writing company writers know that following essay instructions is the most important part of academic writing. The expert writers will, therefore, work extra hard to ensure that they cooperate with all the requirements without fail. We also count on you to help us provide a better academic paper.

Read more

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2020 at 10:52 AM
Total price:
$26
The price is based on these factors:
Customer Academic level
Number of pages required
Urgency of paper