慢性代孕炎如何根治代孕糜烂 慢性代课件

AuditingClosed-SourceSoftwareUsingreverseengineeringinasecuritycontext©2001byHalVarFlakeSpeechOutline(I):Introductiontothetopic:DifferentapproachestoauditingbinariesReviewofC/C++programmingmistakesandhowtospottheminthebinaryDemonstrationoffindingavulnerabilityinabinaryLegalconsiderationsBreakAuditingClosed-SourceSoftwareUsingreverseengineeringinasecuritycontext©2001byHalVarFlakeSpeechOutline(II):ProblemsencounteredintheOOPworldmanualstructure&classreconstructionautomatedstructure&classreconstructionautomatingtheprocessofscanningforsuspiciousconstructsFreetimetoanswerquestionsanddiscussthetopic©2001byHalVarFlakeLegalconsiderationsTechnically,thereverseengineerbreaksthelicenseagreementbetweenhimandthesoftwarevendor,asheisforcedtoacceptuponinstallationthathewillnotreverseengineertheprogram.Thevendorcouldtheoreticallysuethereverseengineerandrevokethelicense.Dependingonyourlocallaw,therearedifferentwaystodefendyoursituation:©2001byHalVarFlakeLegalconsiderations(USA)USLaw: FinalformofDMCAincludesexceptionsto copyrightfor: Reverseengineeringforinteroperability Encryptionresearch SecuritytestingOneshouldaskhislawyeriftheserightscanbecontractedaway. ©2001HalVarFlakeWhyauditbinaries?Ifyou‘reablackhat:Ifyou‘reawhitehat:Manyinterestingsystems(Firewalls)runclosed-sourcesoftwareNewsecurityvulnerabilitiesareeveryAdministratorsnightmareYoucanannoyvendorsbyfindingproblemsintheircodeYoucangetanideahowsecureaparticularapplication‘scodeis©2001byHalVarFlakeApproachA:StressTestingLongstringsofdataaremoreorlessrandomlygeneratedandsenttotheapplication,usuallytryingtooverfloweverysinglestringthatgetsparsedbyacertainprotocol.Pros: Stresstestingtoolsarere-usableforagivenprotocol Willworkautomaticallywithlittletonosupervision DonotrequirespecializedpersonneltouseCons: Theanalyzedprotocolneedstobeknowninadvance Complexproblemsinvolvingseveralconditionsatonce willbemissed Undocumentedoptionsandbackdoorswillbemissed©2001byHalVarFlakeApproachB:ManualAuditAreverseengineercarefullyreadsthedisassemblyoftheprogram,tediouslyreconstructingtheprogramflowandspottingprogrammingerrors.ThiswastheapproachJoey__demonstratedatBlackHatSingapore.Pros: EventhemostcomplexissuescanbespottedCons: Theprocessinvolvedisincrediblytime-consumingandnearlyinfeasibleforlargeapplications Ahighlyskilledandspecializedauditorisneeded Thedangerisinherentthatanauditorwillburnoutandthusmissobviousproblems©2001byHalVarFlakeSkillstheauditorneeds Agoodunderstandingofassemblylanguage andcompilerinternals GoodknowledgeofC/C++andthecoding mistakesthatleadtosecurityvulnerabilities OnlyagoodC/C++codeauditorcanbea goodbinaryauditor Lotsandlotsofendurance,patienceand time©2001byHalVarFlakestrcpy()andstrcat()Oldnews:Anycalltostrcpy()orstrcat()copyingnon-staticstringswithoutproperboundscheckingbeforehandhastobeconsidereddangerous.C/C++codeauditingrecap©2001byHalVarFlakeThe*scanf()functionfamily

Oldnews:Anycalltoanymemberofthe*scanf()functionfamilywhichusesthe„%s“formatcharacterintheformatstringtoparseuser-supplieddataintoabufferisdangerous.C/C++codeauditingrecap©2001byHalVarFlakeThestrncpy()pitfallC/C++codeauditingrecapWhilestrncpysupportssizechecking,itdoesnotguaranteeNUL-terminationofthedestinationbuffer.Soincaseswherethecodeincludessomethinglike

strncpy(destbuff,srcbuff,sizeof(destbuff));problemswillarise.©2001byHalVarFlakeThestrncpy()pitfallC/C++codeauditingrecapSourcestring\x0dataAftercopyingthesourceintoasmallerbuffer,thedestinationstringisnotproperlyterminatedanymore.Destinationstringdatawitha\x0somewhereAnysubsequentoperationswhichexpectthestringtobeterminatedwillworkonthedatabehindouroriginalstringaswell.©2001byHalVarFlakeThestrncat()pitfallAswithstrncpy(),strncat()supportssizechecking,butguaranteestheproperterminationofthestringafterthelastbytehasbeenwritten.Furthermore,thefactthatstrncat()willusuallyneedtohandlewithdynamicvaluesforlenincreasestheriskforcastscrewups.C/C++codeauditingrecap©2001byHalVarFlakeThestrncat()pitfallConsidercodelikethis: strncat(dest,src,sizeof(dest)-strlen(dest));ThiswillwriteanextraNULbehindtheendofdestifthemaximumsizeisfullyutilized.(so-calledpoison-null-byte)C/C++codeauditingrecapvoidfunc(char*dnslabel){charbuffer[256];char*indx=dnslabel;intcount;count=*indx;buffer[0]='\x00';while(count!=0&&(count+strlen(buffer))<sizeof(buffer)-1){strncat(buffer,indx,count);indx+=count;count=*indx;}}©2001byHalVarFlakeCastScrewupsC/C++codeauditingrecap©2001byHalVarFlakeFormatStringVulnerabilitiesC/C++codeauditingrecapAnycallthatpassesuser-suppliedinputdirectlytoa*printf()-familyfunctionisdangerous.ThesecallscanAlsobeidentifiedbytheirargumentdeficiency.Considerthiscode:

printf(„%s“,userdata);

printf(userdata);Argumentdeficiency©2001byHalVarFlakestrcpy()andstrcat()FindingitinthedisassemblyThiscalltargetsastackbufferThesourceisvariable,notastaticstring©2001byHalVarFlakesprintf()andvsprintf()FindingitinthedisassemblyTargetbufferisastackbufferExpandedstringsarenotstaticandnotfixedinlengthFormatstringcontaining„%s“©2001byHalVarFlakeThestrncpy()/strncat()pitfallFindingitinthedisassemblyIfthesourceislargerthan

n(4000bytes),noNULLwillbeappendedCopyingdataintoastackbufferagain...©2001byHalVarFlakeThestrncpy()/strncat()pitfallFindingitinthedisassemblyThetargetbufferisonlynbyteslong©2001byHalVarFlakeThestrncat()pitfallFindingitinthedisassemblyDangeroushandlingoflenparameter©2001byHalVarFlakeFormatStringVulnerabilitiesFindingitinthedisassemblyArgumentdeficiencyFormatstringisadynamicvariable©2001byHalVarFlakeWhygoafteriWSSHTMLagain?AnExample:iWS4.1SHTML Earlierresearchhasshownthatthe“improved“ SHTMLparsingcodehasnotbeenwrittenwith securityinmind Sinceitwaswrittenbeforethewidepublication offormatstringbugs,ithasprobablynotbeen auditedforityet Ialreadyhadtheandonmy box,disassemblytakeswaytoolong©2001byHalVarFlakeTheINTlog_error()callAnExample:iWS4.1SHTMLprintf()-likeparsingofargumentsMinimumstackcorrectionforadynamicformatstringis0x1C–4=0x18©2001byHalVarFlakeAsuspiciousconstructAnExample:iWS4.1SHTMLTheformatstringisdynamicWehaveanargumentdeficiencyas0x14<0x18©2001byHalVarFlakeCreatingtheformatstring(I)AnExample:iWS4.1SHTMLCreatesthestringpassedtoINTlog_error()©2001byHalVarFlakeCreatingtheformatstring(II)AnExample:iWS4.1SHTMLBingo!Afterwards,user-supplieddataisappendedSomestring-classsizechecking©2001byHalVarFlakeCreatingtheSHTMLfileAnExample:iWS4.1SHTMLAninvalidSSItagtotriggertheerrorloggingroutine©2001byHalVarFlakeThehappyendAnExample:iWS4.1SHTMLExploitableuser-suppliedformatstringbuginiWS4.1SHTMLparsing©2001byHalVarFlakeBREAK©2001byHalVarFlakeAsimplesprintf()-scanningscriptAdvancedtopics:AutomationThingstocheckforinasprintf()-call: Doesthecallexpandastringusing“%s“? Doesthecalltargetastackbuffer? Doesthecallsufferfromanargument deficiency? Ifso,istheformatstringdynamic?

©2001byHalVarFlakeGettingthestackcorrectionAdvancedtopics:AutomationstaticGetStackCorr(lpCall){while((GetMnem(lpCall)!="add")&&(GetOpnd(lpCall,0)!="esp"))lpCall=Rfirst(lpCall);return(xtol(GetOpnd(lpCall,1)));}Tracethecodefurtheruntilan„addesp,somevalue“isfoundConvertthesomevaluetoanumberandreturnitRetrievingastringAdvancedtopics:AutomationstaticGetBinString(eaString){autostrTemp,chr;strTemp="";chr=Byte(eaString);while((chr!=0)&&(chr!=0xFF)){strTemp=form("%s%c",strTemp,chr);eaString=eaString+1;chr=Byte(eaString);}return(strTemp);}ZerothestringGetabyteUntileitheraNULLora0xFFisfound,appendonebyteatatimetothestring,thenreturnthestring.RetrievingargumentnAdvancedtopics:AutomationWemusttakethefollowingstepstoretrieveargumentntoacertainfunctioncall: Locatethen-thpushbeforeacall ifanimmediatevalueispushed,returnthat value(ortheoffset) ifaregisterispush,findwhereitwaslast writtentoandreturnthevalueitwasloaded with.©2001byHalVarFlakestatic GetArg(lpCall,n){auto TempReg;while(n>0){ lpCall=RfirstB(lpCall); if(GetMnem(lpCall)=="push")n=n-1;}if(GetOpType(lpCall,0)==1){TempReg=GetOpnd(lpCall,0);lpCall=RfirstB(lpCall);while(GetOpnd(lpCall,0)!=TempReg)lpCall=RfirstB(lpCall); return(GetOpnd(lpCall,1));}elsereturn(GetOpnd(lpCall,0));}Tracebackuntilthen-thpushisfoundIsthepushedoperandaregister?Findwheretheregisterwaslastaccessed......andreturnthevaluewhichwaspushed...(source)©2001byHalVarFlake(source)static AuditSprintf(lpCall){auto fString,fStrAddr,buffTarget;

buffTarget=GetArg(lpCall,1);fString=GetArg(lpCall,2); if(strstr(fString,"offset")!=-1) fString=substr(fString,7,-1);fStrAddr=LocByName(fString);fString=BinStrGet(fStrAddr);if(GetStackCorr(lpCall)<12)if(strlen(fString)<2) Message("%lx-->FormatStringProblem?\n",lpCall);if(strstr(fString,"%s")!=-1)if(strstr(buffTarget,"var_")!=-1) Message("%lx-->Overflowproblem?\"%s\"\n",lpCall,fString);}CleanuptheargumentsCheckifthetargetisastackvariableCheckforadynamicformatstringCheckforargumentdeficiencyCheckfor„%s“informatstring©2001byHalVarFlake(source)staticmain(){auto FuncAddr,xref;FuncAddr=AskAddr(-1,"Enteraddress:");xref=Rfirst(FuncAddr);while(xref!=-1){if(GetMnem(xref)=="call")AuditSprintf(xref);xref=Rnext(FuncAddr,xref);}xref=DfirstB(FuncAddr);while(xref!=-1){if(GetMnem(xref)=="call")AuditSprintf(xref);xref=DnextB(FuncAddr,xref);}}Askauditortoentertheaddressofthesprintf()Calltheauditingfunctiononceforeachcalltosprintf()Repeatforallindirectcalls©2001byHalVarFlakeAsimplestrncpy()-scanningscriptAdvancedtopics:AutomationThingstocheckforinastrncpy()-call: Isthetargetbufferastackvariable? Isthemaxlenparameterequaltothe estimatedsizeofthetargetbuffer?

Isthesourcebufferanon-staticstring?

©2001byHalVarFlakeEstimatingStackBuffersizeAdvancedtopics:AutomationstaticStckBuffSize(lpCall,cName){autoframeID,ofs,count;frameID=GetFrame(lpCall);

while(strstr(cName,"+")!=-1)cName=substr(cName,strstr(cName,"+")+1,strlen(cName));cName=substr(cName,0,strlen(cName)-1);ofs=GetMemberOffset(frameID,cName);count=ofs+1;while(GetMemberName(frameID,count)=="")count=count+1;count=count-ofs;returncount;}CleanupnameWalkstackframeuntilanothervarisfound©2001byHalVarFlakeTheAudStrncpy()-functionAdvancedtopics:AutomationstaticAudStrncpy(lpCall){autobuffTarget,buffSrc,maxlen;autosrcString;

buffTarget=GetArg(lpCall,1);buffSrc=GetArg(lpCall,2);maxlen=GetArg(lpCall,3);

if(StckBuffSize(lpCall,buffTarget)<=xtol(maxlen)){if(strlen(BinStrGet(LocByName(buffSrc)))<2)Message("Suspiciousstrncpy()at%lx!\n",lpCall);}}RetrieveargumentsCheckstackbuffersizeagainstmaxlenCheckfornon-staticsourcebuffer©2001byHalVarFlakeStructurereconstruction(I)Advancedtopics Frequently,largestructuresontheheap areusedtoholdconnectiondata,error stringsandthelike. IDAcannotyetreconstructthose structures Inordertocheckstrncpy()andsimilarcalls