Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


The (almost) Complete History of Memory Corruption Attacks

This is the prezi component of the presentation given at BlackHat 2010: https://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Meer

haroon meer

on 30 July 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of The (almost) Complete History of Memory Corruption Attacks

<_start>: 31 October 1972 "COMPUTER SECURITY TECHNOLOGY PLANNING STUDY" “the code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine.” “The bug exploited to break fingerd involved overrunning the buffer the daemon used for input. The standard C library has a few routines that read input without checking for bounds on the buffer involved. In particular, the gets call takes input to a buffer without doing any bounds checking; this was the call exploited by the Worm.” 17 October 1985 - Phrack 1 Published 2 October 1988 - "Morris Worm" “I had heard of the potential for exploits via overflow of the data-segment buffers overwriting the next variable. That is, people were worried about code like this: 30 November 1988
CERT Formed 23 January 1989
ZARDOZ Security Digest 31 January 1989
CERT Advisory for overflow in 4.3BSD bin/passwd.c 23 June 1990
ZARDOZ becomes "Core Sec" 30 December 1990
An empirical study of the reliability of UNIX Utilities 9/5/1993
BUGTRAQ Formed 9/30/1993
ISS Scanner Released. Overflow in NCSA httpd - 2/13/1995
Thomas Lopatic made a posting to Bugtraq to report an overflow vulnerability in NCSA httpd 1.3. His posting clearly walked through the steps needed for successful exploitation and included an exploit that creates a file named ‘GOTCHA’ in the /tmp directory 3/4/1995
SATAN Released 10/19/1995
CERT vuln - syslogd 10/20/1995 - “How to Write Buffer Overflows” splitvt exploit published - 12/3/1995 11/8/1996 - Smashing the Stack Published `smash the stack` [C programming] n. On many C implementations it is possible to corrupt the execution stack by writing past the end of an array declared auto in a routine. Code that does this is said to smash the stack, and can cause return from the routine to jump to a random address. This can produce some of the most insidious data-dependent bugs known to mankind. 1/20/97
Stack Smashing Defenses Discussed 3/21/1997
Exploit Published 4/22/1997
DNS Poisoning
QID Prediction Bypassing the non-exec Stack (ret-2-libc) - 8/10/1997 non-exec stack patch
defeating (non-exec-stack patch)
defeating (defeating (non-exec-stack patch)) 9/1/1997
Nmap - Art of Portscanning 12/18/1997 - StackGuardAnnounced "StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks” StackGuard bypasses discussed - 12/19/1997 1/14/1998 - IE4 Heap Overflow Christien Rioux (dildog)
mk:// exploit against IE 4/16/1998 - “The Tao of Windows Buffer Overflow” 1/31/1999 - w00w00 on Heap Overflows “Some people have actually suggested making a "local" buffer a "static" buffer, as a fix! This not very wise; yet, it is a fairly common misconception of how the heap or bss work.” 5/1/1999 - MITRE forms CVE Initiative 9/9/1999 - Dark Spyrit Win32 Buffer Overflows “Win32 Buffer Overflows (Location, Exploitation and Prevention)”
Seattle Labs Mail Server
Trampoline calls “The Frame Pointer Overwrite” - 9/9/1999 9/20/1999 - Format String bug in proftpd 1.2.0pre6 Tymm Twillman to bugtraq: 10/21/1999
Taeh Oh's “Advanced Buffer
Overflow Exploits” 5/1/2000 - Bypassing StackGuard and StackShield” 5/1/2000 - Smashing C++ VPTRS 5/1/2000 - Exploiting non-terminated adjacent memory spaces “The essence of the issue is that many functions that a programmer may take to be safe and/or 'magic bullets' against buffer overflows do not automatically terminate strings/buffers with a NULL.” Wu-Ftpd remote format string exploit - 6/24/2000
WuFTPD: Providing *remote* root since at least 1994 6/24/2000 - Format Bugs: What are they. Where they come from? Lamagra Argamal, 200 lines, bugtraq 7/25/2000 - JPEG Com Marker vulnerability in Netscape Solar Designer post to Bugtraq. File format bugs
free(), unlink
hzon hzon: "we all just finding out things that solar designer forgot to write down" Format String Attacks - 9/9/2000 10/1/2000 - PaX first Released 11/30/2000 - PaX adds MPROTECT Overwriting the .dtors section - 12/12/2000Juan M. Bello Rivas pageexec@freemail.hu 2/18/2000 - grsecurity released 6/18/2001 - IIS .ida ISAPI filter Vulnerability Brad Spengler (spender) 7/13/2001 - Code Red Worm in the Wild 7/31/2001 - PaX introduces ASLR “The goal of Address Space Layout Randomization is to introduce randomness into addresses used by a given task. This will make a class of exploit techniques fail with a quantifiable probability and also allow their detection since failed attempts will most likely crash the attacked task.” 8/13/2001
StackGhost released 8/13/2001
FormatGuard released 11/8/2001 - VUDO malloc tricks 11/8/2001 - Once upon a free() Advanced return-2-libc - 12/28/2001 Nergal's Advanced return-into-lib(c) exploits (PaX case study) 2/4/2002 - Advantages of block based binary analysis 2/7/2002 - Third Generation Exploits 2/13/2002 - Visual C++ adds /GS compiler protection
cookie + __security_check_cookie during function epilogue Published flaw in /GS - 2/14/2002
Cigital call it (/GS) a "vulnerability seeder"
“The kinds of attack that Cigital made use of to defeat the Microsoft mechanism are neither novel nor do they require exceptional expertise. Had Microsoft studied the literature surrounding StackGuard, they would have been aware of the existence of such attacks.” 3/5/2002 - “Non-Stack based exploitation” Bypassing PaX ASLR Protection - 7/28/2002
Tyler Durden introduces "ret-2-output" 7/28/2002 - Advances in Format String Exploitation Integer Overflows Introduced to Public - 7/30/2002 “it focused on “different tiny tricks that may help speeding up bruteforcing when exploiting format strings bugs, and ... about exploting (sic) heap based format strings bugs” 7/31/2002
PaX Advances 8/1/2002
Syscall Proxying 6/14/2003 - Metasploit.com opened to the public 8/3/2002
grsecurity gets Learning Mode 9/13/2002 - Slapper worm targets Apache/mod_SSL
discovered in the wild
targeted OpenSSL
reliable remote HEAP Overflow 4 tricks to bypass StackGuard and StackShield - 9/4/2002 10/31/2002 - PaX releases SEGMEXEC “Basic Integer Overflows” published - 12/28/2002 10/31/2002 - PaX releases RANDKSTACK 12/1/2002
grsecurity adds /dev/mem and /dev/kmem protection 1 = 2147483647 (0x7fffffff)
1 + 1 = -2147483648 (0x80000000) 4/6/2003 - grsecurity adds RBAC 1/26/2003 - “pax-future.txt” released 9/30/2003 - /SAFESEH introduced into Visual Studio

(/GS now moves buffers to prevent local overwrites too) "Variations in Exploit methods between Linux and Windows" published - 7/10/2003 4/30/2003
PaX introduces
kernel pages David Litchfield: "long known technique" of overwriting the SEH record on the stack on Windows 8/2/2003 - “Win32 device drivers communication vulnerabilities” published 9/8/2003 - "Defeating the Stack Based Buffer Overflow Prevention Mechanism of MS Windows 2003 Server" Published 3/19/2004 - The Witty Worm 10/2/2003
MOSDEF Released "Reliable Windows Heap Exploits" Presented - 4/21/2004 7/28/2004 - "Windows Heap Overflows" Presented 8/25/2004 - XP-SP2 Ships “On the effectiveness of ASLR” published - 10/25/2004
ASLR effective?
Brute force 11/2/2004 - "Heap Spraying" against Internet Explorer Unsafe unlinking of the lookaside list is exploited - 12/17/2004 1/21/2005
"Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass" “Remote Windows Kernel Exploitation” published - 2/17/2005 3/5/2005
- PaX privilege escalation bug Process Stalker Released - 7/6/2005 7/20/2005 - "Windows Kernel Pool Overflow Exploitation" “Critical Section Heap Exploit Technique” - 8/31/2005 Format string vulnerability in a Perl Application - 9/25/2005 9/28/2005 - "Borrowed Code Chunk Exploitation Technique" Bypassing hardware DEP - 10/5/2005 11/30/2005 - Visual Studio 2005 with GS v2. Format String integer wrap vulnerability - 12/1/2005 "Format String Vulnerabilities in Perl Programs" - 12/2/2005 12/7/2005 - Exploiting Freelist[0] on XP-SP2 PaX Team releases UDEREF/x86 - 7/26/2006 9/30/2006 - "Preventing the Exploitation of SEH Overwrites"

skape + "validation frame" Unusual Bugs Presentation - 9/30/2006

Ilja van Sprundel
NULL Pointer Deref Exploit (1994) 10/31/2006 - "Memory Retrieval Vulnerabilities" Published 1/19/2007 - "Double Free Vulnerabilities" 3/1/2007 - "GS and ASLR in Windows Vista" 3/3/2007
- First NULL ptr deref exploit for Linux kernel released
payload + SELinux OpenBSD IPv6 Overflow -3/13/2007 3/27/2007 - "Heap Feng Shui in JavaScript" 3/29/2007
Microsoft Security Advisory (935423) (ANI bug) "Reducing the effective Entropy of gs cookies" - 5/1/2007 "Understanding and Bypassing Windows Heap Protection" - 7/6/2007 Immunity Debugger Released - 8/4/2007 1/8/2008 - Remote kernel pool overflow in XP parsing IGMPv3 packets advisory 2/8/2008 - Vista SP1 ships with added mitigations “ASLR Smack & Laugh Reference” - 2/17/2008
"dos, brute force, ret2text, ret2bss, ret2data, ret2heap, string and function pointer redirecting, stack stethoscope and formatted information, ret2ret, ret2pop, ret2esp, ret2eax and finally ret2got" 4/14/2008
"Application-Specific Attacks -
Leveraging the ActionScript Virtual Machine" 7/1/2008 - "Real World Kernel Pool Exploitation" .Net controls used to exploit IE - 7/29/2008 8/4/2008 - “Return-Oriented Programming” 4/18/2009 - PAX_USERCOPY released 6/8/2009 - grsecurity adds limited integer-overflow defense 7/16/2009 - Cheddar Bay kernel exploit released 0day discovered in the wild (heap spray through flash) - 7/23/2009 8/12/2009 - “Nozzle, a Defense Against Heap Spraying Code Injection Attacks” Enlightenment Linux kernel exploitation framework - 9/9/2009 2/3/2010 - Pointer Inference and JIT Spray PaX Team releases UDEREF/amd64 - 4/9/2010 It seems as if it wont be possible to use the current arbitrary memory overwrite anymore
On the other hand we do not have enough information about new possibilities these changes can create in heap exploitation Internet Exploiter Written to target x86-64
Becomes ROP ZwProtectVirtualMemory
NtSetInformationProcess strict GS pragma
operator::new Integers Brett Moore (antic0de) spender + Exploitable kernel null pointers
muffled PaX announcement format strings,
non-terminating string functions,
uninitialized memory
information leaks 1/30/2007 - Microsoft ships Windows Vista with ASLR ASLR
block encryption
terminate on heap corruption
headers validated (more) Alfred Ortega
2nd Remote Overflow in 10 years ? "death of the write4 primitive"
application specific attacks Sinan: "I can make a strawberry pudding with so many prerequisites" .Net Controls
.Net Spraying
.JIT Sprays “the geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86).” "Attacking the Vista Heap" - 8/8/2008 application specific double-frees
heap spraying to spray heap structures
to overwrite function pointers Brad Spengler (spender) Brad Spengler (spender) Brad Spengler (spender) 2/2/2005 - "First public release of WehnTrust" (v0.9.0) Diagram - Matt Miller Diagram: Matt Miller Diagrrams: Alex Sotirov Diagram: Matt Miller
Full transcript