diff -r 92a8dad2cc86 -r a612dd3ddc81 slides/slides03.tex --- a/slides/slides03.tex Sat Oct 03 20:31:57 2015 +0100 +++ b/slides/slides03.tex Mon Oct 05 05:20:07 2015 +0100 @@ -34,112 +34,6 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} - -\begin{center} - \begin{tikzpicture}[scale=1] - - \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); - \draw (4.7,1) node {Internet}; - \draw (-2.7,1.7) node {\footnotesize Application}; - \draw (0.6,1.7) node {\footnotesize Interface}; - \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; - \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; - - \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); - - \draw[white] (1.7,1) node (X) {}; - \draw[white] (3.7,1) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - - \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); - \end{tikzpicture} -\end{center} - -\begin{itemize} -\item the idea is make the attack surface smaller and -mitigate the consequences of an attack -\item you need an OS that supports different roles (root vs.~users) -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Weaknesses of Unix AC} - -\begin{itemize} -\item if you have too many roles (for example too finegrained AC), then - hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations - like\ldots let's be root}\bigskip - -\item you can still abuse the system\ldots -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{A ``Cron''-Attack} - -The idea is to trick a privileged person to do something on your -behalf: - -\begin{itemize} -\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause - -\small -\begin{minipage}{1.1\textwidth} -\textcolor{gray}{the shell behind the scenes:}\\ -\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ - -\textcolor{gray}{this takes time} -\end{minipage} -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{A ``Cron''-Attack} - -\begin{enumerate} -\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ -\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip -\item root \textcolor{gray}{(does the daily cleaning)}\\ -\texttt{rm /tmp/*/*}\medskip\\ -\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\ -\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\ - -\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to -the real passwd file)}\\ -\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ -\item root now deletes the real passwd file -\end{enumerate} - -\only<2>{ -\begin{textblock}{11}(2,5) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\normalsize\color{darkgray} -\begin{minipage}{9.5cm}\raggedright -To prevent this kind of attack, you need additional -policies (don't do such operations as root). -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{\Large Buffer Overflow Attacks} @@ -148,10 +42,10 @@ \begin{columns}[b] \begin{column}{.4\textwidth} \centering -\includegraphics[scale=1.2]{../pics/barrier.jpg}\\ +\includegraphics[scale=0.3]{../pics/barrier.jpg}\\ lectures so far \end{column} -\begin{column}<2>{.4\textwidth} +\begin{column}{.4\textwidth} \centering \includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\ today @@ -162,13 +56,13 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Smash the Stack for Fun\ldots} \begin{itemize} -\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip +\item {\bf Buffer Overflow Attacks} or\\ +{\bf Smashing the Stack Attacks}\medskip \item one of the most popular attacks, unfortunately\\ ($>$ 50\% of security incidents reported at CERT are related @@ -205,7 +99,7 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Printing Out Zombies} +\frametitle{Printing Out ``Zombies''} \mbox{}\\[-10mm] \footnotesize @@ -254,8 +148,8 @@ \frametitle{Memory} \begin{itemize} -\item each process will get a chunk of memory that is organised as -follows: +\item each process will get a chunk of memory that is + organised as follows: \end{itemize} \begin{center} @@ -458,6 +352,43 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Optimising Success} + +\begin{center} +\begin{tabular}{l@{\hspace{2cm}}l} + \begin{tikzpicture}[scale=0.6] + \draw[line width=1mm] (-2, -1) rectangle (2,3); + \draw[line width=1mm,fill=blue!30] (-2, 1.9) rectangle (2,3); + \draw (0,2.5) node {\small\tt shell code}; + \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); + \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- + (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1); + \end{tikzpicture} +& + \onslide<2>{ + \begin{tikzpicture}[scale=0.6] + \draw[gray!50,fill=red!30] (-2,0.3) rectangle (2,3); + \draw[line width=1mm] (-2, -1) rectangle (2,3); + \draw[line width=1mm,fill=blue!30] (-2, 0.3) rectangle (2, -0.7); + \draw (0,-0.2) node {\small\tt shell code}; + \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); + \draw [line width=0.5,decoration={brace,amplitude=2mm},decorate] + (2.3,3) -- (2.3,0.3); + \draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- + (3,-1.7) -- (3,1.65) -- (2.6, 1.65); + \end{tikzpicture}} +\end{tabular} +\end{center}\bigskip + +\onslide<2>{ +fill up the red part of the string with \pcode{NOP} operations +(Intel \texttt{$\backslash$x90})} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -476,8 +407,6 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Format String Vulnerability} @@ -539,68 +468,100 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} - +\frametitle{NIST Statistics about BOA} \begin{center} - \begin{tikzpicture}[scale=1] - - \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); - \draw (4.7,1) node {Internet}; - \draw (-2.7,1.7) node {\footnotesize Application}; - \draw (0.6,1.7) node {\footnotesize Interface}; - \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; - \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; +\begin{tikzpicture} +\begin{axis}[ + xlabel={year}, + ylabel={\% of total attacks}, + ylabel style={yshift=0em}, + enlargelimits=false, + xtick={1997,1999,2001,...,2015}, + xmin=1996.5, + xmax=2016, + ymax=21, + ytick={0,5,...,20}, + scaled ticks=false, + axis lines=left, + width=11cm, + height=5cm, + ybar, + nodes near coords= + {\footnotesize + $\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$}, + x tick label style={font=\footnotesize,/pgf/number format/1000 sep={}}] +\addplot + table [x=Year,y=Percentage] {../handouts/bufferoverflows.data}; +\end{axis} +\end{tikzpicture} +\end{center} - \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); +from the US National Vulnerability Database\\ +\small\url{http://web.nvd.nist.gov/view/vuln/statistics} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \draw[white] (1.7,1) node (X) {}; - \draw[white] (3.7,1) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - - \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); - \end{tikzpicture} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[fragile] +\frametitle{D-Link Wifi Router, BOA} +\small + +As a proof-of-concept, the following URL allows +attackers to control the return value saved on +the stack (the vulnerability is triggered when +executing \pcode{"/usr/sbin/widget"}): + +\begin{center}\footnotesize +\pcode{curl http:///post_login.xml?hash=AAA...AAABBBB} \end{center} -\begin{itemize} -\item the idea is make the attack surface smaller and mitigate the - consequences of an attack -\end{itemize} -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +The value of the "hash" HTTP GET parameter consists of +292 occurrences of the \pcode{'A'} character, followed by four +occurrences of character \pcode{'B'}. In our lab setup, characters +\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}} +\begin{tabular}{@{}ll} +Discovery date: & 06/03/2013\\ +Release date: & 02/08/2013 +\end{tabular}\bigskip -\begin{itemize} -\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause -\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause -\item \texttt{mkdir foo} is owned by root\medskip -\begin{center} -\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} -\end{center}\medskip -it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} -\end{itemize} +\footnotesize +\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[fragile] +\frametitle{GHOST in Glibc} + +\small The GHOST vulnerability is a buffer overflow condition +that can be easily exploited locally and remotely. This +vulnerability is named after the GetHOSTbyname function +involved in the exploit.\medskip -\only<5->{ -\begin{textblock}{1}(3,7) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\begin{minipage}{8cm} -Only failure makes us experts. - -- Theo de Raadt (OpenBSD, OpenSSH) -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} +The attack allows the attacker to execute arbitrary code and +take control of the victim’s vulnerable machine. +Unfortunately, the vulnerability exists in the GNU C Library +(glibc), a code library originally released in 2000, meaning +it has been widely distributed. Although an update released by +Linux in 2013 mitigated this vulnerability, most systems and +products have not installed the patch.\medskip + -\end{frame}} +\begin{tabular}{@{}ll} +Release date: & 01/28/2015 +\end{tabular}\smallskip + + +\footnotesize +\hfill\url{https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%