5. Cyberattack 2 – Network Attacks and BOF
Cyberattack 2:
Network Attacks and
Buffer Overflow (BOF)
CITS3004
Alvaro Monsalve
1
1. Network Attacks
1.1. Sniffing (Eavesdropping)
1.2. Spoofing and hijacking
1.3. Remote access
1.4. Denial of Service
2. Buffer overflow
Agenda
2
• There are vulnerabilities in network functionalities
• Attackers can exploit these to bypass security solutions
• This section, we will explore some of the basic and common
ways of exploiting the network functionalities
3
1. Network Attacks
Application Layer
Transport Layer
Internet Layer
Network Access Layer
4
Crash Course on TCP
Data
Data
DataTCP
DataTCPIP
DataTCPIPMAC
0010011101111…
Data
Data
DataTCP
DataTCPIP
DataTCPIPMAC
0010011101111…
Datagram
Packet
Frame
Bit
See CITS3002 Network and Security for more details
5
Crash Course on TCP
Repeat data transfer
until end of
communication
• Sniffing is a passive attack
• Captures network traffic between two
communicating nodes
• Cannot detect such attacks, as the attack does not
leave any traces in the system
• Can be mitigated easily using encryption
6
1.1. Sniffing
• However, establishing a secure channel to
communicate is important
• As well as the coverage of the channel
7
Sniffing
Alice Bob
Eve
Not secure
Secure channel
• There are a list of tools for sniffing
– E.g., Wireshark, tcpdump, Windows Message Analyzer etc.
• Chrome will notify users that ‘http’ is no longer secure*
8
Sniffing
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
Spoofing is a form of “lying”, to claim that you are
someone (or something) else
– i.e., masquerading
• By spoofing, you can progress into hijacking
9
1.2. Spoofing
I am Bob
• Many types of spoofing attacks
– IP spoofing
– MAC spoofing
– DNS spoofing
– ARP spoofing
– Website spoofing
– Email address spoofing etc…
10
Spoofing
Let us have a look at this one
11
TCP Spoofing
Client Server
SYN, ACK
Attacker
SYN
ACK
Data
SYN, ACK The attacker acting as
the client
12
TCP Spoofing
Client Server
SYN
SYN, ACK
ACK
Data
Attacker
SYN
ACK
Data
Normal Reset
SYN, ACK
The attacker guesses
the sequence number
– TCP Spoofing
First, we need to reset
the existing
connection
• Once TCP session has been reset, we can easily spoof
the IP address by modifying the IP packet header
– IPv4 is vulnerable as it does not check for integrity
– IPv6 can also be spoofed*
• This is especially easy for inside attackers, as you
don’t have to bypass firewall filtering
13
IP Spoofing
14
IP Spoofing
What can we do now?
We can launch other attacks
– Hijacking (next)
– SYN flood attack (later)
– ICMP redirects
– Ping-O-Death
– Etc.
15
IP Spoofing
• TCP session hijacking is used in conjunction with TCP and
IP spoofing attacks
• Can be used to take over TCP applications
– E.g., Telnet, FTP, rlogin
• Once attacker has TCP segment sequence, they can hijack
the connection
• The legitimate user can no longer communicate with the
server, as the sequence number is no longer valid
16
TCP Session Hijack
• Hijacking can bypass some authentication
– E.g., one-time passwords
– Hijack already authenticated communication (what else do you need?)
• ISP has some packet filtering based on IP address range
– i.e., “this IP address cannot come from the source subnet!”
• Trusted hosts should only be used with authentication and
encryption
– E.g., remote hosts
• Update and maintain the firewall regularly
17
Prevention Methods
What shell we do?
– Allows execution of commands on the system
• E.g., create/modify/remove files and folders, fetch data, launch
applications etc.
– Remote shell is doing the shell commands remotely from the
network
– Malicious users who gain access to the remote shell can conduct
activities to damage the system
• E.g., delete all files on the system
18
1.3. Remote Access
• Normal communication between the user and the server
requires establishing a connection
– Typically using a TCP connection
• To establish a connection, you also need to mutually agree on
the socket
• Socket defines which port to communicate through
– If TCP/IP is identifying the road to travel, socket is choosing the right
garage
19
Remote Access
20
Remote Access
Port 80
HTTP Only Port 23
Telnet Only
Port 443
HTTPS Only
Port 25
SMTP Only
• Two different directions to gain the access through
the remote shell
– Forward shell
• Client hacking Server
– Reverse shell
• Server hacking Client
21
Remote Access
• Hackers (disguised as clients) can exploit the remote
connection vulnerability
• Requires vulnerable server setup with access to both
input and output of the server
– Either by discovery, or
– To plant the vulnerability
• E.g., Duplicate Open File Descriptor Dup2()
• Dup2 function allows clients to access duplicated files
– But if input and output descriptors are duplicated, clients
(hackers) can access shell!
22
Forward Shell
• The system assigns file descriptions sequentially
– Duplicate an existing file descriptor immediately after our
connection to get the same file descriptor of the socket
associated with the connection
– Execute shell on the server, then
– All the input and output will be redirected to the socket,
which is to the shell!
23
Forward Shell
Mitigation the Problem:
• Blocking forward shell is straight-forward
– Use Firewall
– Authenticate connections
– Drop unknown connections
– Block incoming TCP SYN packets from external network
– Allow outgoing TCP packets from internal network
24
Forward Shell
This brings us to the next problem (or solution)
• Reverse shell allow server to act as a malicious user
• Server will lure clients (victims) to connect
• To lure victims, the malicious server may distribute
malicious code (e.g., using phishing)
– Waiting for the victim to start the TCP handshake
• Once the connection is established, the malicious
server can send commands
25
Reverse Shell
• Little more tricky than forward shell
– Easier to craft the client’s code
– Client initiates the connection, so difficult to filter bad
connections
– Authentication may provide certain degree of prevention
– Use malware detection to minimise the exposure to such
vulnerabilities
26
Reverse Shell
• “an action that prevents or impairs the authorized use of
networks, systems, or applications by exhausting resources
such as central processing units (CPU), memory, bandwidth,
and disk space.” – NIST
• Spoofing is often used to make tracing difficult
– But we have packet tracing using stamps for traceability
• Distributed DoS (DDoS) makes it even harder to pin-point the
original source of an attack
27
1.4. Denial of Service
• There are many types of denial of service attack
– Volume based, protocol, and application layer
28
Denial of Service
Volume (bandwidth)
• Exhaust the bandwidth
of the target
• Flooding (UDP, ICMP
and other packet-based
etc)
Protocol
• Exploits protocol
vulnerabilities and
misuse
• SYN floods, packet
fragmentation, Ping-O-
Death, Smurf DDoS etc
Application
• Exploits application
layer communication
vulnerabilities
• HTTP POST, server
exploitations (e.g.,
Apache, Windows etc)
• E.g., Ping-O-Death
– A classic DoS attack
– Floods the ping command to the target
– Once the capacity of the bandwidth exceeds, the
(legitimate) packets are discarded
– Avoid location identification using spoofing
29
Volume-based
ping
ping ping
ping
ping
ping
ping
ping
ping
ping
ping
ping
ping
• E.g., SYN flooding
– Volume attack exploiting the protocol design flaw
– Commonly used DoS
– Continuously sending crafted SYN packets to the target
– The server will send back the ACK, but the attacker never
replies
– Legitimate SYN packets have to wait while other malicious
SYN packets are processed
30
Protocol Exploit
31
Protocol Exploit
The ACK is sent back, but is directed
to non-existant client, or the client
discard the ACK packets as it did not
instantiate the connection
32
DDoS
DoS DDoS
• Use of multiple systems to carry out DoS attack
• Exploit system vulnerabilities to gain access to zombie
computers
– E.g., See last week’s lectures
• One attacker controls all the zombie computers
– Named botnet
• There may be more hierarchies in controlling zombies
33
DDoS
• We can also use legitimate servers as
an intermediate step to carry out
DDoS attack
• Spoof the packets with the target
address, and send it to intermediate
servers
• Intermediate servers will “reply” back
to the target
• If enough packets are generated, the
target will be denied of service to
legitimate requests
34
Reflection attack
35
Reflection attack
Hacker
controlled
zombies
Legitimate
servers
Victim’s spoofed IP Flooding
SYN/ACK
packets
• Core idea is to use the broadcast function of the
network
• The zombies send spoofed messages with the target
IP address to the broadcast IP address
• All systems in that subnet will reply to the victim
– Flooding response messages!
36
Amplification attack
• Example: Smurf Amplification DoS attack
37
Amplification attack
• Difficult due to identification of legitimate to false traffic data
– Is this high volume real or DoS?
38
DoS Prevention
Prevention and
preemption
Detection and
filtering
Trace-back and
identification Reaction
Patch known
vulnerabilities
and flaws
Update
Firewall rules
and IDS
Conduct
forensics and
analysis
Review security
controls and
update
• Software programs are not monolithic*
• One module calls another module, which may call other
modules, etc.
• Control is transferred from one module to another
• E.g., From main module to getInput module, to processInput module, to
displayOutput module)
• Issue: how to maintain state of temporarily-suspended
modules?
• Solution: the system (or program) stack
39
2. Buffer Overflow
*formed of a single large block of stone.
40
Memory Layout of Stack
0x00400000
0x10000000
0x7FFFFFFF
Reserved
Text
segment
Data
segment
Stack
segment
The Stack refers to
the memory space
available to the
program to store
information
during execution
(such as variables,
return addresses
etc).
• Main program calls other routines
– User-defined routines
– System library routines (e.g. math, input/output)
• The main program has a block of information on the stack
• When a call is made to another module, a block of
information for that module goes on the stack
– Module arguments (information used for that module)
– Space for local variables for module (or in registers…)
– Return value (if module calculates one)
– Return address (where to go in previous module)
41
Buffer Overflow
• This process may be continued for many modules
– Module A calls Module B, which calls Module C, which calls
Module D, etc.
– Module A can re-call itself with different module
arguments (recursion)
• Note: a stack contains a finite amount of space
42
Buffer Overflow
Buffer – general category of a storage structure that holds
some data
Array – a homogeneous structure, holding multiple instances
of one data type
– E.g. Array of integers could hold test scores for class
– E.g. Array of characters is a string
• Usually terminated with a special ‘0’ (null) character in C / C++
• Strings are used often in applications – e.g. Usernames, passwords,
filenames, …
43
Arrays and Buffers
• We have a series of characters c of size 4 (i.e.,
holds 4 characters).
• c copies another string s (assuming it is declared),
using a strcpy function (string copy function).
44
Simplified Example
short i;
char c[4];
strcpy (c, s);
printf (“%d\n”, i);
• C and C++ languages do not check array
boundaries
– E.g. If array has 10 elements, can write 11 values into array
– What happens?
• Value is written into adjoining memory location
• If you own that memory location, you write over whatever was
there before
• Usually not good!
• If you don’t own that memory location, system will flag error
(i.e., segment fault)
45
BOF Details
• Now, what happens if s had a value
“ABCDEF”?
46
Back to Example
short i;
char c[4];
strcpy (c, s);
printf (“%d\n”, i);
The value of i will be overwritten with
0x4546 (“EF”).
To understand this further, we will
draw the stack diagram (soon).
• Compiler does not check whether programmer
is writing within specified array
• C language provides many routines that do not
check array limits
• Examples:
– strcpy (destination, source) – copy src to dst
– strcat (destination, source) – concatenate src onto dst
– sprintf – formatted printing into string
– Many others…
47
C/C++ Vulnerability
48
List of Dangerous C
Routines
• strcpy()
• strcat()
• sprintf()
• scanf()
• sscanf()
• fscanf()
• vfscanf()
• vsprintf()
• vscanf()
• vsscanf()
• streadd()
• strecpy()
• strtrns()
• Etc…
• If the buffer overflows occur accidentally (i.e., bad
memory management), then the program will throw
a segmentation fault.
• If the program was given an input carefully directed
to overrun the return address by manipulating the
stack, arbitrary code may be injected.
49
The Exploit Steps
• Write a small program that starts a shell window: use
something like system(“/bin/sh”)
– Just like the remote shell attacks
• Translate the program into machine code, modifying
individual bytes as needed
• Write the machine code into a buffer, followed by the
address of the start of that buffer, repeated many times
• Will overwrite the return address (on the stack) of the
server’s buffer handler routine
50
The Exploit Steps
• Get a copy of the operating system to be attacked
• Analyse the system stack layout for that operating
system and hardware platform
• Put the “shell window” machine code into a buffer
• Send your buffer to a program on the target
operating system (maybe one that runs as “root”)
that takes a buffer as input, makes a copy of that
buffer, and don’t check its bounds
51
The Exploit Steps
52
BOF Example
Lets take a look at an example.
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
This is stack
Stack grows up
Text segment for program
1
53
BOF Example
The program begins from the main function.
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
sp
bp
Note: bp – Base pointer sp – Stack pointer
Text segment for program
1
Memory for b
Memory for a
We need to
allocate memory
for the variable
junks in the
function foo.
54
BOF Example
Now we call function foo.
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
Text segment for program
1
Memory for 1st argument
Memory for 2nd argument
Memory for b
Memory for a
sp
bp
When foo is
finished, we need to
go back to the main
function, which we
need to return to the
correct place where
we executed foo.
55
BOF Example
We allocate memory space for foo components.
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
Text segment for program
1
Memory for junks
Prior value of bp
Correct return address
Memory for 1st argument
Memory for 2nd argument
Memory for b
Memory for a
sp
bp
In the foo
function, assume
it takes input
from the user to
assign junks
variable.
• If the input is within 7 bytes, the program will run
as normal
• But the user can also allocate more than 7 bytes for
the variable junks, because there is no boundary
checks
– E.g., input provided is 54354325432523
• What happens now?
56
BOF Example
57
BOF Example
It is possible that junks may overwrite the return address as
well.
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
Text segment for program
1
Memory for junks
Prior value of bp
Correct return address
Memory for 1st argument
Memory for 2nd argument
Memory for b
Memory for a
sp
bp Memory for
junks
overflows in the
stack
What happens
when foo function
finishes?
• If the return address is overwritten, then the
instruction pointer will jump to some random
address
– This will likely cause a segmentation fault
• If these series of events are caused on purpose,
it is called a buffer overflow attack
– It is also known as stack smashing
58
BOF Example
59
BOF Example
This will likely give a segmentation fault error, but…
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
Text segment for program
1
Memory for junks
Prior value of bp
Correct return address
Memory for 1st argument
Memory for 2nd argument
Memory for b
Memory for a
sp
bp Memory for
junks
overflows in the
stack
60
BOF Example
Imagine junks contain some executable code!
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
Text segment for program
1
Memory for junks
Prior value of bp
Correct return address
Memory for 1st argument
Memory for 2nd argument
Memory for b
Memory for a
sp
bp Executable code!
New return address
…
If you know exactly
where the return
address is suppose
to be, then you can
craft your buffer
overflow attack.
61
BOF Example
Imagine junks contain some executable code!
void foo(int x, float y)
{
char junks[7];
(more code)
}
int main()
{
int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)
}
Text segment for program
1
Memory for junks
Prior value of bp
Correct return address
Memory for 1st argument
Memory for 2nd argument
Memory for b
Memory for a
sp
bp Executable code!
New return address
…
New return address
New return address
Maybe
it was
here
Sometimes, the
return address
can be guessed.
• Do not use suspect C/C++ routines
• Instead, use newer routines that check boundaries
– E.g. strncpy(dest, source, limit) – will write no more than
limit characters from source to destination
– Still problems with such routines
• E.g. Can end up with non-terminated strings
– One suggestion: manually set 0/null byte into each
destination string
• Use safer programming languages
– Java, Python etc boundary checks are done by the language
62
BOF Prevention
• Still, some applications are better written in C/C++
• Need to check all legacy code for buffer overflow
vulnerabilities
• Problems still being found in Oracle, other large software
systems
• Check for:
• Programmer use of suspect routines
• Use of code libraries where suspect routines were used
• Use of code libraries that use code libraries …
63
BOF Prevention
• Security controls
– Use latest security controls
– E.g., non-executable stacks (Data Execution
Prevention (DEP))
– E.g., Address Space Layout Randomisation (ASLR)
64
BOF Prevention
• Policies
– Important part of software security
• Avoid problems in advance
– Development teams and organisations need to
develop appropriate policies for code
development
• Safer language usage
• Safer library routine usage
• Library usage and positioning in application
65
BOF Prevention
• Sniffing tools
– http://sectools.org/tag/sniffers/
• Forward Shell
– https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440
• Websocket Hijacking
– https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
– Tutorial:
https://medium.com/@sharan.panegav/account-takeover-using-cross-site-
websocket-hijacking-cswh-99cf9cea6c50
• Buffer Overflow
– http://insecure.org/stf/smashstack.html
66
Additional Items
http://sectools.org/tag/sniffers/
https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440
https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
https://medium.com/@sharan.panegav/account-takeover-using-cross-site-websocket-hijacking-cswh-99cf9cea6c50
http://insecure.org/stf/smashstack.html