SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Alt Seviye Programlama Hatalarından Kaynaklanan Güvenlik Zaafiyetleri ve İstismar Edilme Yöntemleri Murat Balaban EnderUNIX

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley SIGSEGV’i önemseyin !!! Program hatası = Güvenlik Zaafiyeti Dizayn sorunu = Güvenlik Zaafiyeti

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Bazı önemli güvenlik zafiyetleri Stack overflows Heap overflows Pointer overflows Format string memory disclosure and overflows Integer overflows

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Pointer overwrite

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Heap Overflow

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Stack Overflow

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Hata = Açık Neden? | 1 | EBP+16 | 2 | EBP+12 | 3 | EBP+8 |geri donus adresi| EBP+4 | saklanmis ESP | EBP | yerel_degisken_1| EBP-4 | yerel_degisken_2| EBP-8 x = 0; fonksiyon(1, 2, 3); x = 1;

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley 0x41 ? evil]$./abo1 `perl -e "print 'A' x 1024"` Segmentation fault (core dumped) evil]$

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley 0x41 ? evil]$ gdb -q./abo1./core Core was generated by `./abo1' Program terminated with signal 11, Segmentation fault. #0 0x in ?? () (gdb) i r eax 0xbff3edf ecx 0xfff9f edx 0xbff9fbba ebx 0xd12ff esp 0xbff3ef00 0xbff3ef00 ebp 0x x esi 0xbff3ef edi 0xbff3ef eip 0x x eflags 0x cs 0x ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) |geri donus adresi| EBP+4 | saklanmis ESP | EBP | buf[255] | EBP-4 | buf[251] | EBP-8

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Kabuk kodu (Shellcode) Programın kontrolü ele geçirildikten sonra Bizim tarafımızdan çalışması istenen kod Genellikle kırılan programın haklarına (çoğu kez root) sahip yeni bir UNIX shell çalıştırılır

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Kabuk kodu (Shellcode) #include void main() { char *shell[2]; shell[0] = "/bin/sh"; shell[1] = NULL; execve(shell[0], shell, NULL); } =

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Kabuk kodu (Shellcode)

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Shellcode Yerleştirme Kullanıcıdan gelen buffer’ın içine yerleştirme (aleph1) Çevre Değişkenine yerleştirme (murat)

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Exploit (sc çevre değişkeninde)

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Son Sözler Intermediate çözümlere güvenmeyin Problemi kökünden çözün. Güvenli yazılım yazın, güvenli yazılım kullanın.

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Sorular ?

SECURITY, AUDIT & CONTROL OF INFORMATION SYSTEMS CONFERENCE 2007 Smart Valley Teşekkürler EnderUNIX – TUBITAK UEKAE a