Description
1 LabOverview
Thelearningobjectiveofthisprojectisforstudentstogainthefirst-handexperienceonaninterestingvariant of buffer-overflow attack; this attack can bypass an existing protection scheme currently implemented in majorLinuxoperatingsystems. Acommonwaytoexploitabuffer-overflowvulnerabilityistooverflowthe buffer with a malicious shellcode, and then cause the vulnerable program to jump to the shellcode that is stored in the stack. To prevent these types of attacks, some operating systems (for example Fedora) allow system administrators to make stacks non-executable; therefore, jumping to the shellcode will cause the program to fail. Unfortunately, the above protection scheme is not fool-proof; there exists a variant of buffer-overflow attack called the return-to-libc attack, which does not need an executable stack; it does not even use shellcode. Instead,itcausesthevulnerableprogramtojumptosomeexistingcode,suchasthe system() function in the libc library, which is already loaded into the memory. In this lab, students are given a program with a buffer-overflow vulnerability; their task is to develop a return-to-libc attack to exploit the vulnerability and finally to gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in Ubuntu to counter against the buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.
2 LabTasks 2.1 LabEnvironment You can execute the lab tasks using the preconfigured Ubuntu machine. 1Ubuntu and several other Linux-based systems use address space randomization to randomize the starting address of heap and stack. This makes guessing the exact addresses difficult; guessing addresses is one of the critical steps of bufferoverflow attacks. In this lab, we disable this feature using the following command:
$ su root Password: (enter root password) #sysctl -w kernel.randomize_va_space=0
ExecShield Protection: Fedora linux implements a protection mechanism called ExecShield by default, but Ubuntu systems do not have this protection by default. ExecShield essentially disallows executing any code that is stored in the stack. As a result, buffer-overflow attacks that have the exploit code in the stack will not work. To disable ExecShield in Fedora, you may use the following command.
$ su root 1We have tested this lab in Ubuntu Ver.9.04. It should also work for the most recent Ubuntu versions.
Project1: Return-to-libcexploits–CSE608,Fall2013 2
Password: (enter root password) # sysctl -w kernel.exec-shield=0
Because return-to-libc attacks should work in presence of this protection, you need not disable this feature if you are using a Fedora machine. Moreover, to further protect against buffer overflow attacks and other attacks that use shell programs, many shell programs automatically drop their privileges when invoked. Therefore, even if you can “fool” a privileged Set-UID program to invoke a shell, you might not be able to retain the privileges within the shell. Thisprotectionschemeisimplementedin /bin/bash. InUbuntu, /bin/sh isactuallyasymbolic link to /bin/bash. To see the life before such protection scheme was implemented, we use another shell program (the zsh), instead of /bin/bash. The preconfigured Ubuntu virtual machines contains a zsh installation. Ifyouareusingotherlinuxsystemsthatdonotcontain zsh bydefault,youhavetoinstall zsh fordoingthelab. Forexample, inFedoralinuxsystemsyoumayusethefollowingproceduretoinstall zsh
$ su Password: (enter root password) # wget ftp://rpmfind.net/linux/fedora/(continue on the next line) core/4/i386/os/Fedora/RPMS/zsh-4.2.1-2.i386.rpm # rpm -ivh zsh-4.2.1-2.i386.rpm
The following instructions describe how to link the zsh program to /bin/sh.
# cd /bin # rm sh # ln -s /bin/zsh /bin/sh
Furthermore, the GCC compiler implements a security mechanism called ”Stack Guard” to prevent buffer overflows. In the presence of this protection, buffer overflow will not work. You can disable this protection when you are comiling the program using the switch -fno-stack-protector. For example, to compile a program example.c with Stack Guard disabled, you may use the following command:
gcc -fno-stack-protector example.c
Note for Instructors: For this lab, a lab session is desirable, especially if students are not familiar with the tools and the enviornments. If an instructor plans to hold a lab session (by himself/herself or by a TA), it is suggested the following to be covered in the lab session 2:
1. The use of the virtual machine software.
2. Basic use of gdb debug commands and stack stucture.
3. Configuring the lab environment. 2We assume that the instructor has already covered the concepts of the attacks in the lecture, so we do not include them in the lab session.
Project1: Return-to-libcexploits–CSE608,Fall2013 3
2.2 TheVulnerableProgram /* retlib.c */
/* This program has a buffer overflow vulnerability. */ /* Our task is to exploit this vulnerability */ #include