Embed Size (px)
DESCRIPTION
errata. EuSecWest website references IOActive No longer IOActive employee Independent contractor with IOActive Research is the work of myself and does not relate to IOActive No one at IOActive doing similar research. What?!. Interpreters serve as abstraction layer - PowerPoint PPT Presentation
Citation preview
errata
□ EuSecWest website references IOActive
□ No longer IOActive employee▫ Independent contractor with IOActive
□ Research is the work of myself and does not relate to IOActive▫ No one at IOActive doing similar research
What!?
□ Interpreters serve as abstraction layer□ Conceptually similar to VMs used in managed languages (i.e. Java
or .Net)□ Attacks against interpreted languages typically focus around
‘traditional web-app attacks’▫ Poison NULL byte complications▫ SQL Injection▫ Et cetera
□ Traditionally thought of as being immune to problems that plague other languages- i.e. buffer overflows
/* PSz 12 Nov 03 *
* Be proud that perl(1) may proclaim: * Setuid Perl scripts are safer than C programs … * Do not abandon (deprecate) suidperl. Do not advocate C
wrappers. *
Reason for Rhyme
□ Usage of web and managed applications only going to increase□ Gap between how these are attacked□ Protections against application based attack are C-centric
▫ Stack cookies ▫ Higher layers of abstraction may have their own call stacks
▫ Heap cookies protect against heap memory corruption▫ Many languages implement their own allocator that lack cookies
▫ The unlink() macro sanity checks the forward/backward pointers ▫ Many languages implement their own allocator that lack sanity checks▫ Linked lists often implemented on top of block of memory
▫ NX protects against execution▫ Byte code is read/interpreted, not executed
▫ ASLR protects against return-to-libc/et cetera▫ Still valid
But, the future of insecurity?
□ Hacking community is largely content with the world as it is
□ World is changing▫ Most OSs ship with some hardening anymore▫ GCC ships with SSP▫ Visual Studio 2005 is pretty effective▫ Interpreted & Managed language use on the rise▫ We don’t get to choose what the applications we break are
written in▫ Adapt or die
□ Maybe not the future▫ But, I’m at least thinking about it
Goals & Prior Art
□ Goals:▫ Memory Corruption bug in interpreter▫ Attack interpreted language metadata▫ Return into interpreted language bytecode
□ Stephan Esser▫ Hardened PHP, Month of PHP bugs, et cetera
□ Mark Dowd▫ Leveraging the ActionScript Virtual Machine
Damn the torpedoes
□ In Mid-April 2008 Google rolled out ‘AppEngine’□ AppEngine ‘enables you to build web applications on the
same scalable systems that power Google applications’□ AKA Here’s a python interpreter, you can’t break us.□ A flagship example is the shell application
▫ Literally a web-based interface to the interpreter
□ Interpreter runs in a restricted environment▫ All file-based I/O is (supposed to be) disabled and a Google
specific datastore API is provided▫ Subprocesses, threads, et cetera disabled▫ No sockets▫ Many modules disabled or modified
□ Perfect target.
Abba Zabba, you my only friend
□ Having direct access to the interpreter allows *a lot* of flexibility
□ Stopping address space leaks becomes incredibly problematic (sys._getframe() ?)
□ Attacker can manipulate interpreter state to match necessary conditions
□ Situation is the same that shared hosting providers have faced for years
□ Except now its Google, they’re pushing this for enterprise use, and the attack surface has been acknowledged
But interpreted languages don’t have buffer overflows…
□ More common than expected▫ CVE-2008-1679: Multiple integer overflows in imageop module▫ CVE-2008-1887: Signedness issues in
PyString_FromStringAndSize()▫ CVE-2008-1721: Signedness issues cause buffer overflow in zlib
module▫ CVE-2008-XXXX: Integer overflow leads to buffer overflow in
Unicode processing▫ CVE-2008-XXXX: Integer overflow leads to buffer overflow in
Buffer objects▫ Et cetera
□ Interpreter code still relatively ‘virgin’□ Many in Python due to extensive use of signed integers
On 0-day
□ Over next few slides several bugs are discussed▫ Some are reported and patched▫ Some are reported and unpatched▫ Some are undisclosed and unpatched
□ Not all bugs are equal▫ Most occur in unusual circumstances▫ Most require direct interpreter access▫ Others are typically unexploitable (i.e. memcpy() of
4G)
□ Most undisclosed were found in a very short period of time▫ Point is, they exist & they’re not hard to find
Ethics of 0-day
□ Arguments would be easier to take serious if contracts didn’t have clauses like this:
When good APIs go bad
□ Patched in CVS, broken in Python versions up to 2.5.2□ Also in PyBytes_FromStringAndSize() & PyUnicode_FromStringAndSize()
52 PyObject *53 PyString_FromStringAndSize(const char *str, Py_ssize_t size)54 {55 register PyStringObject *op;56 assert(size >= 0);57 if (size == 0 && (op = nullstring) != NULL) {
[…]63 }64 if (size == 1 && str != NULL &&65 (op = characters[*str & UCHAR_MAX]) != NULL)66 {
[…]72 }73 74 /* Inline PyObject_NewVar */75 op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
Where the wild things roam..
□ Currently reported but unpatched□ Like previous example causes faults in numerous places– including core
data types
85 #define PyMem_New(type, n) \86 (assert((n) <= PY_SIZE_MAX / sizeof(type)) , \87 ((type *) PyMem_Malloc((n) * sizeof(type))))88 #define PyMem_NEW(type, n) \89 (assert((n) <= PY_SIZE_MAX / sizeof(type) ) , \90 ((type *) PyMem_MALLOC((n) * sizeof(type))))91 92 #define PyMem_Resize(p, type, n) \93 (assert((n) <= PY_SIZE_MAX / sizeof(type)) , \94 ((p) = (type *) PyMem_Realloc((p), (n) * sizeof(type))))95 #define PyMem_RESIZE(p, type, n) \96 (assert((n) <= PY_SIZE_MAX / sizeof(type)) , \97 ((p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type))))
0xbadc0ded
□ Reported, but currently unpatched
static intunicode_resize(register PyUnicodeObject *unicode, Py_ssize_t length){
[...]oldstr = unicode->str;PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1);[...]unicode->str[length] = 0;
staticPyUnicodeObject *_PyUnicode_New(Py_ssize_t length){
[...] /* Unicode freelist & memory allocation */ if (unicode_freelist) { […]
if ((unicode->length < length) && unicode_resize(unicode, length) < 0) { […]
else { unicode->str = PyMem_NEW(Py_UNICODE, length + 1);
0xbadc0ded
□ Reported and patched in CVS, versions up to 2.5.2 are vulnerable
768 static PyObject *769 PyZlib_unflush(compobject *self, PyObject *args)770 {771 int err, length = DEFAULTALLOC;772 PyObject * retval = NULL;773 unsigned long start_total_out;774775776 if (!PyArg_ParseTuple(args, "|i:flush", &length))777 return NULL;778 if (!(retval = PyString_FromStringAndSize(NULL, length)))779 return NULL; […]783 start_total_out = self->zst.total_out;784 self->zst.avail_out = length;785 self->zst.next_out = (Byte *)PyString_AS_STRING(retval);786 787 Py_BEGIN_ALLOW_THREADS788 err = inflate(&(self->zst), Z_FINISH);
0xbadc0ded
□ Currently undisclosed & unpatched
static PyObject *array_fromunicode(arrayobject *self, PyObject *args){
Py_UNICODE *ustr; Py_ssize_t n;
if (!PyArg_ParseTuple(args, “u#:fromunicode", &ustr, &n)) return NULL;
[...] if (n > 0) { Py_UNICODE *item = (Py_UNICODE *) self->ob_item; if (self->ob_size > PY_SSIZE_T_MAX - n) { return PyErr_NoMemory(); } PyMem_RESIZE(item, Py_UNICODE, self->ob_size + n); if (item == NULL) { PyErr_NoMemory(); return NULL; } self->ob_item = (char *) item; self->ob_size += n; self->allocated = self->ob_size; memcpy(item + self->ob_size - n, ustr, n * sizeof(Py_UNICODE));
0xbadc0ded
□ Currently undisclosed & unpatched
static PyObject *encoder_encode_stateful(MultibyteStatefulEncoderContext *ctx, PyObject *unistr, int final){
PyObject *ucvt, *r = NULL; Py_UNICODE *inbuf, *inbuf_end, *inbuf_tmp = NULL; Py_ssize_t datalen, origpending;
[...]
datalen = PyUnicode_GET_SIZE(unistr); origpending = ctx->pendingsize;
if (origpending > 0) { if (datalen > PY_SSIZE_T_MAX - ctx->pendingsize) { […]
} inbuf_tmp = PyMem_New(Py_UNICODE, datalen + ctx->pendingsize); […] memcpy(inbuf_tmp, ctx->pending, Py_UNICODE_SIZE *ctx->pendingsize);
ya dig?
□ Currently undisclosed & unpatchedstatic PyObject *posix_execv(PyObject *self, PyObject *args){
[…]
if (!PyArg_ParseTuple(args, "etO:execv", Py_FileSystemDefaultEncoding, &path, &argv)) return NULL; if (PyList_Check(argv)) { argc = PyList_Size(argv); […] else if (PyTuple_Check(argv)) { argc = PyTuple_Size(argv); […] argvlist = PyMem_NEW(char *, argc+1);
[...]
for (i = 0; i < argc; i++) { if (!PyArg_Parse((*getitem)(argv, i), "et", Py_FileSystemDefaultEncoding, &argvlist[i])) {
[...]
Goals review
□ Goal 0: memory corruption bugs▫ Bugs are just as prevalent as other traditional
applications▫ Some of them are pretty silly▫ Lots are still easy to spot and require very
little in the way of deep thinking▫ Some are exploitable, some require specific
circumstances, others are just bugs
□ Goal 1: attack interpreter level metadata..
Python Call stack
□ Simple test program:#!/usr/bin/pythonimport time
while 1:time.sleep(500)
gdb> r[…]Program received signal SIGINT, Interrupt.[Switching to Thread 0x2b9d5bdd4d00 (LWP 28588)]0x00002b9d5bb4f043 in select () from /lib/libc.so.6gdb> bt#0 0x00002b9d5bb4f043 in select () from /lib/libc.so.6#1 0x00002b9d5bdd869f in time_sleep […]#2 0x0000000000486097 in PyEval_EvalFrameEx […]#3 0x0000000000488002 in PyEval_EvalCodeEx […]#4 0x00000000004882a2 in PyEval_EvalCode […]#5 0x00000000004a969e in PyRun_FileExFlags […]#6 0x00000000004a9930 in PyRun_SimpleFileExFlags […]#7 0x0000000000414630 in Py_Main […]#8 0x00002b9d5bab2b74 in __libc_start_main […]#9 0x0000000000413b89 in _start ()
Bytecode flow overview
Python Objects
□ Most (interesting) object types start with a reference to PyObject_VAR_HEAD
□ i.e.:typedef struct _xyz {
PyObject_VAR_HEAD[…]
□ PyObject_VAR_HEAD macro expands to:▫ Contain the objects reference count▫ Contain pointers to next/previous in-use object
(doubly linked list)▫ Contains a pointer to the objects type
▫ This point is way more important at first may seem
PyCodeObject
/* Bytecode object */
typedef struct {PyObject_HEADint co_argcount; /* #arguments, except *args */int co_nlocals; /* #local variables */int co_stacksize; /* #entries needed for evaluation stack */int co_flags; /* CO_..., see below */PyObject *co_code; /* instruction opcodes */PyObject *co_consts; /* list (constants used) */PyObject *co_names; /* list of strings (names used) */PyObject *co_varnames; /* tuple of strings (local variable names) */PyObject *co_freevars; /* tuple of strings (free variable names) */PyObject *co_cellvars; /* tuple of strings (cell variable names) */ PyObject *co_filename; /* string (where it was loaded from) */PyObject *co_name; /* string (name, for reference) */int co_firstlineno; /* first source line number */PyObject *co_lnotab; /* string (encoding addr<->lineno mapping) */void *co_zombieframe; /* for optimization only (see frameobject.c) */
} PyCodeObject;
PyEval_EvalCodeEx()
□ PyEval_EvalCode() is a simple wrapper to PyEval_EvalCodeEx()▫ Uses default arguments for last seven
parameters – passes NULL or 0
□ Takes a PyCodeObject as a parameter
□ Creates a PyFrameObject
□ Sets up local/global/et cetera variables
□ Serves essentially to setup environment
PyFrameObject
typedef struct _frame {PyObject_VAR_HEADstruct _frame *f_back; /* previous frame, or NULL */PyCodeObject *f_code; /* code segment */PyObject *f_builtins; /* builtin symbol table (PyDictObject) */PyObject *f_globals; /* global symbol table (PyDictObject) */PyObject *f_locals; /* local symbol table (any mapping) */PyObject **f_valuestack; /* points after the last local *//* Next free slot in f_valuestack. Frame creation sets to f_valuestack. Frame evaluation usually NULLs it, but a frame that yields sets I to the current stack top. */PyObject **f_stacktopPyObject *f_trace; /* Trace function */[…]PyThreadState *f_tstate;int f_lasti; /* Last instruction if called */[…]int f_iblock; /* index in f_blockstack */PyTryBlock f_blockstack[CO_MAXBLOCKS]; /* for try and loop blocks */PyObject *f_localsplus[1]; /* locals+stack, dynamically sized */
} PyFrameObject;
PyFrameObject destruction
□ As frames go out of scope, frame_dealloc() is called to destroy them□ During destruction, only locals, exception and debugging information is cleared□ Frame can end up in the PyCodeObject’s zombie frame, the free list, or just destroyed
voidframe_dealloc(PyFrameObject *f) {
[...]for (p = f->f_localsplus; p < valuestack; p++)
Py_CLEAR(*p);
[...]Py_CLEAR(f->f_locals);Py_CLEAR(f->f_trace);Py_CLEAR(f->f_exc_type);Py_CLEAR(f->f_exc_value);Py_CLEAR(f->f_exc_traceback);
co = f->f_code;if (co->co_zombieframe == NULL)
co->co_zombieframe = f;else if (numfree < MAXFREELIST) {
++numfree;f->f_back = free_list;free_list = f;
}
Zombies attack!!1
PyFrameObject *PyFrame_New(PyThreadState *tstate, PyCodeObject *code, PyObject *globals, PyObject *locals)
{[...] if (code->co_zombieframe != NULL) {
f = code->co_zombieframe; code->co_zombieframe = NULL; assert(f->code == code);
} else {[...]
}
f->f_stacktop = f->f_valuestack; f->f_builtins = builtins;
Py_XINCREF(back);f->f_back = back;Py_INCREF(code);Py_INCREF(globals);f->f_globals = globals;[...]return f;
}
Unleashing your zombie army..
□ Attacking zombie frame not always necessary, or doing so may not make sense▫ Many heap overflows occur in direct control of byte
stream▫ Many others either also allow direct control of the
argument stack or both▫ Plenty of instances where you don’t hit either
□ Zombie frame is useful for pointer sized writes anywhere in memory▫ On smaller overflows, fairly typical to corrupt
members of object▫ Many objects destructors use linked lists with
unprotected unlinking functionality
PyEval_EvalFrameEx()
□ Implements state-machine for processing bytecode
#define INSTR_OFFSET() ((int))(next_instr – first_instr))#define NEXTOP() (*next_instr++)#define NEXTARG() (next_instr += 2, (next_instr[-1]<<8) + next_instr[-2])
PyObject *PyEval_EvalFrameEx(PyFrameObject *f, int throwflag){
[...]first_instr = (unsigned char*) PyString_AS_STRING(co->co_code);[...]next_instr = first_instr + f->f_lasti + 1;stack_pointer = f->f_stacktop;[...]for (;;) {
[...] f->f_lasti = INSTR_OFFSET();
[...]opcode = NEXTOP();
oparg = 0; /* allows oparg to be stored in a register because it doesn't have to be remembered across a full loop */ if (HAS_ARG(opcode)) oparg = NEXTARG();
[…]switch (opcode) {
Important variables
□ first_instr:▫ Taken directly from f->f_code->co_code▫ Determines first instruction in PyCodeObject/bytecode to be executed▫ Local (stack based) variable in PyEval_EvalFrameEx()▫ Points to heap data
□ next_instr:▫ Derived from first_instr– starts out pointing to same location▫ Incremented by one to three bytes per opcode▫ Dictates next instruction in bytecode to be interpreted▫ Local (stack based) variable in PyEval_EvalFrameEx()▫ Points to heap data
□ stack_pointer:▫ Derived from f->f_stacktop▫ Determines next argument to given opcode▫ Makes up data stack▫ Local (stack based) variable in PyEval_EvalFrameEx()▫ Points to heap data
Only handguns and tequila allow bigger mistakes faster
#define JUMPTO(x) (next_instr = first_instr + (x))
while (why != WHY_NOT && f->f_iblock > 0) {PyTryBlock *b = PyFrame_BlockPop(f);
assert(why != WHY_YIELD);if (b->b_type == SETUP_LOOP && why == WHY_CONTINUE) {
PyFrame_BlockSetup(f, b->b_type, b->b_handler,b->b_level);why = WHY_NOT;JUMPTO(PyInt_AS_LONG(retval));Py_DECREF(retval);break;
}[...]if (b->b_type == SETUP_LOOP && why == WHY_BREAK) {
why = WHY_NOT;JUMPTO(b->b_handler);break;
}if (b->b_type == SETUP_FINALLY || (b->b_type == SETUP_EXCEPT && why ==
WHY_EXCEPTION)) {[...]why = WHY_NOT;JUMPTO(b->b_handler);break;
}} /* unwind stack */
Other interpreter targets..
□ Python’s debugging functionality allows for tracing of the application▫ Whether the currently executing byte-code is being
traced is determined by a member in the stack frame▫ Tracing allows for calls before opcode execution,
function entry, exception handling, et cetera
□ Many Objects have functionality that can be abused with small amounts of memory corruption
□ Be creative, they haven’t been beat on like the various libc’s, so they haven’t hardened their implementations
Goal Review
□ Goal 1: Attack interpreter level metadata▫ In most cases overwriting a PyCodeObject or the
stack_pointer is trivial▫ In others attacking the zombie frame allows for an
interesting and humorous exercise▫ Python’s exception handling can also be abused▫ Objects are unhardened
□ This allows us to bypass many of the hardening functionality in existence, i.e. stack/heap cookies, unlink() hardening, et cetera
□ Goal 2: Return into byte-code…
opcodes
□ Python opcodes are a single char▫ As of 2.5.2 there are 103 opcodes
□ Opcodes take optional 16-bit modifier▫ Can be thought of as like a sub-opcode
□ Arguments/parameters are pointed to by stack_pointer□ Thus, parameters need to be placed on the stack first, then the
opcode in question called□ i.e.:
>>> def test():… print “PsychoAlphaDiscoBetaBioAquaDoLoop”…>>> __import__(‘dis’).dis(test) 2 0 LOAD_CONST 1 ('PsychoAlphaDiscoBetaBioAquaDoLoop')
3 PRINT_ITEM 4 PRINT_NEWLINE 5 LOAD_CONST 0 (None)
8 RETURN_VALUE
Our House..
□ Easiest method is to abuse the support for run-time functions (lambda’s)□ Opcode is MAKE_FUNCTION
case MAKE_FUNCTION:v = POP(); /* code object */
x = PyFunction_New(v, f->f_globals); Py_DECREF(v); /* XXX Maybe this should be a separate opcode? */ if (x != NULL && oparg > 0) { v = PyTuple_New(oparg); if (v == NULL) { Py_DECREF(x); x = NULL; break; } while (--oparg >= 0) { w = POP(); PyTuple_SET_ITEM(v, oparg, w); } err = PyFunction_SetDefaults(x, v); Py_DECREF(v);
} PUSH(x); break;
In the middle of our street..
□ Python natively generates code that has a STORE_FAST/LOAD_FAST▫ Don’t think they’re necessary▫ Pressed for time, so didn’t investigate whether they were necessary or not
#define GETLOCAL(i) (fastlocals[i])#define SETLOCAL(i, value) do { PyObject *tmp = GETLOCAL(i); \
GETLOCAL(i) = value; \ Py_XDECREF(tmp); } while (0)
case LOAD_FAST:x = GETLOCAL(oparg);
if (x != NULL) { Py_INCREF(x); PUSH(x); goto fast_next_opcode; } […] break;
case STORE_FAST: v = POP(); SETLOCAL(oparg, v); goto fast_next_opcode;
Let there be light.
□ Now that we’ve built the function and setup the argument stack, its just time to call it
□ Accomplished via CALL_FUNCTION opcode
case CALL_FUNCTION: { PyObject **sp; PCALL(PCALL_ALL); sp = stack_pointer;#ifdef WITH_TSC x = call_function(&sp, oparg, &intr0, &intr1);#else x = call_function(&sp, oparg);#endif stack_pointer = sp; PUSH(x); if (x != NULL) continue; break; }
Calling the call_function() function
static PyObject *call_function(PyObject ***pp_stack, int oparg
#ifdef WITH_TSC , uint64* pintr0, uint64* pintr1#endif )
{int na = oparg & 0xff;int nk = (oparg>>8) & 0xff;int n = na + 2 * nk;PyObject **pfunc = (*pp_stack) - n - 1;PyObject *func = *pfunc;PyObject *x, *w;
if (PyCFunction_Check(func) && nk == 0) {[...]
if (flags & METH_NOARGS && na == 0) { C_TRACE(x, (*meth)(self,NULL)); } else if (flags & METH_O && na == 1) { PyObject *arg = EXT_POP(*pp_stack); C_TRACE(x, (*meth)(self,arg)); Py_DECREF(arg); } [...]
calling the call_function() functionstatic PyObject *call_function(PyObject ***pp_stack, int oparg#ifdef WITH_TSC
, uint64* pintr0, uint64* pintr1#endif
){
[…]
if (PyCFunction_Check(func) && nk == 0) {[...]
} else { if (PyMethod_Check(func) && PyMethod_GET_SELF(func) != NULL) { PyObject *self = PyMethod_GET_SELF(func);
[...]
} else [...]
if (PyFunction_Check(func)) x = fast_function(func, pp_stack, n, na, nk);
[…]
A final note about call_function()
□ Often after overflow the code returned into is call_function()□ call_function() cleans up the argument stack after calling the
function:
while ((*pp_stack) > pfunc) {w = EXT_POP(*pp_stack);Py_DECREF(w);PCALL(PCALL_POP);
}
□ Py_DECREF() will almost certainly cause a destructor to get called□ If data stack_pointer pointed to was corrupted, this will be the first
place its felt□ Unless you’re ready for a ret-into-libc type attack, make sure that w
points to valid memory that has a value greater than 1
PyCodeObject’s don’t grow on trees you know!
□ Where to get a PyCodeObject?□ Two options, dependant on context:
▫ AppEngine, et al:
x = unicode(compile(‘print “zdravstvoyte mir!”, ‘<string>’, ‘exec’))
▫ x will contain string along the lines of: <code object <module> at 0x4e058f1c37daf18, file “<string>”, line 1>
▫ Now stack_pointer just needs to point at 0x4e058f1c37daf18
▫ Less controlled environments:▫ Use compile() to obtain code object▫ References in header need to be updated-- PyCodeObject->co_code▫ Requires address space leak
But..
□ Returning into bytecode in AppEngine doesn’t make much sense?▫ Already have control of the interpreter▫ Return into same restricted environment▫ Not exactly true-- but ret-into-libc or similar
eventually becomes necessary
□ Ret-into-libc requires address space info
□ Non-AppEngine attacks require address space info
Tell me about your mother..
□ One reason for return into byte-code on AppEngine: PRINT_EXPR opcode
case PRINT_EXPR:v = POP();w = PySys_GetObject("displayhook");
if (w == NULL) {PyErr_SetString(PyExc_RuntimeError, "lost sys.displayhook");
err = -1; x = NULL;}if (err == 0) {
x = PyTuple_Pack(1, v); if (x == NULL) err = -1;}if (err == 0) {
w = PyEval_CallObject(w, x);Py_XDECREF(w);if (w == NULL)
err = -1;}Py_DECREF(v);Py_XDECREF(x);break;
All we had to do was ask..
□ Typical results of memory leak:
‘\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x80\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\xa0\x91\x81\x00\x00\x00\x00\x00\x00\x90\x91\x81\x00\x00\x00\xb0\x91\x81\x12\x1e\x01\x00\x00\x02\[…]’
□ Leaking heap addresses in this example: 0x8191XXXX□ If stack_pointer is controlled, can point anywhere in the address space□ Leak is really only bounded by how much byte-code you can get into
the stream□ Objects used to verify typing information are statically allocated and use
fixed offsets– thus once you know the low-order bytes, you can spot them easily
□ Problematic because it prints to standard out, which can be redirected but post-overflow is a lot of trouble
□ Good strategy is to take advantage of fact that we’re dealing with a web-app that can crash an infinite number of times
Loose APIs sink ships.
□ Python is one of those overly helpful languages□ Pretty much all objects can be printed out
▫ When you print an object, the address of the object is leak▫ Object can also be converted to a string where the same string that gets printed
ends up in string, i.e. unicode(compile(…)) gives you the address of a PyCodeObject
□ Leak PyFrameObject addresses:▫ sys._getframe() – returns frame object▫ sys._currentframes() – returns a dictionary with each threads current frame
□ builtin function id()▫ Each object has a unique id▫ This is accomplished by using the address of the object for the id▫ i.e. id(None) yields address of None object (think about that in context of
obtaining type object addresses)□ Builtin functions dir() and getattr()
▫ dir() allows you to enumerate attributes of an object▫ getattr() allows you to obtain its value▫ Useful when function pointers cannot be avoided
Goals in review
□ Goal 2: return into interpreter byte-code▫ Easier to accomplish than initially thought▫ Process of executing byte-code is more problematic due to type-
checks▫ Successful exploitation absolutely requires address space leaks▫ Python provides us with nice opcodes to allow leaking▫ Easiest method is to use MAKE_FUNCTION/CALL_FUNCTION
combination as bootstrap mechanism▫ Restricted interpreters require return-into-C code to break out of
□ Returning into byte-code provides these advantages:▫ Non-executable memory is not necessary- byte-code is
interpreted not executed▫ Because its not executed we can use it to dump address space
info
2+2
□ Overall process:▫ Obtain address space information via memory
corruption and executing PRINT_EXPR opcode▫ Obtain addresses that were valid at one time and fix
up data with addresses▫ Craft a PyCodeObject either in the address space or
in the shellcode, update PyCodeObject header information if injecting into address space
▫ Execute following opcodes: MAKE_FUNCTION/STORE_FAST/LOAD_FAST/CALL_FUNCTION
▫ Return into PyCodeObject▫ From PyCodeObject return into executable memory
Other available opcodes
□ LOAD_CONST – loads constant onto argument stack using oparg index into consts member of PyCodeObject
□ POP_TOP – removes member from top of argument stack, decreases reference
□ ROT_TWO/ROT_THREE/ROT_FOUR – rotates position of argument stack, moving 2, 3 or 4 arguments around
□ DUP_TOPX – duplicates either 2 or 3 pointers on argument stack□ STORE_SLICE+X – some code paths do not have type checks and instead
create a new object, allows object creation□ PRINT_ITEM_TO – allows redirection of output, pops output data from
variable stack, falls through to PRINT_ITEM which may redirect to stdout□ LOAD_LOCALS – places f->f_locals onto argument stack, great opcode to
prefix PRINT_X opcodes□ YIELD_VALUE – takes return value from argument stack, sets f-
>f_stacktop to point to stack_ponter□ POP_BLOCK – Obtains PyTryBlock from argument stack, decrements
references for each record□ STORE_GLOBAL / LOAD_GLOBAL – same as with other
STORE_X/LOAD_X opcodes, except operates on globals
More opcodes
□ JUMP_ABSOLUTE – like JUMP_FORWARD except is not relative to first_instr
□ FOR_ITER – makes function pointer call from pointer retrieved from argument stack, good once address space layout is known
□ EXTENDED_ARGS – advances to next opcode, obtains another 16-bit oparg and combines it with existing 16-bit oparg, combined with JUMP_ABSOLUTE allows byte-code to exist anywhere (on 32-bit machines)
□ LOAD_CLOSURE – places pointer on argument stack from different section of heap memory
□ BUILD_X – several opcodes, allows for creation of Tuples, Lists, Maps and Slices
□ JUMP_FORWARD – advances position in bytecode by oparg bytes
□ Other opcodes perform type checks or have callbacks□ Many of the ones with type checks can be coaxed into usage by first
building an object via one of the BUILD_X opcodes□ Once address space is know, opcodes with callbacks are not dangerous
python.fin()
□ Bugs in Python exist and are easy to find□ Data structures and general metadata is easy to
abuse□ Byte-code is position independent and thus easy
to make▫ Because of its PIC nature– argument stack exists
elsewhere▫ Ownership can be transferred with one or the other,
but made more difficult
□ Hardest part of returning into byte-code is ASLR□ Python is really helpful there.
What about PERL?
□ PERL has bugs too
□ Reading PERL is an exercise in patience▫ Friend: ‘I still maintain that PERL was not
written.. It was found.. On a crashed UFO’
□ Yeah, it is that bad
□ Be careful when looking into the abyss..
Ugh, wtf?
□ Just an example (from 5.8.8):
int
perl_parse(PTHXx_, XSINIT_t xsinit, int argc, char **argv, char **env)
{
[…]
#ifdef PERL_FLEXIBLE_EXCEPTIONS
CALLPROTECT(aTHX_ pcur_env, &ret,
MEMBER_TO_FPTR(S_vparse_body),
env, xsinit);
#else
JMPENV_PUSH(ret)
#endif
Are you kidding me?
□ If PERL_FLEXIBLE_EXCEPTIONS is defined…
#define CALLPROTECT CALL_FPTR(PL_protect)#define CALL_FPTR(fptr) (*fptr)#define PL_protect (aTHX->Tprotect)#define aTHX PERL_GET_THX#define aTHX_ aTHX,
#ifdef USE_5005THREADS#define PERL_GET_THX ((struct perl_thread *)PERL_GET_CONTEXT)
#else#ifdef MULTIPLICITY
#define PERL_GET_THX ((PerlInterpreter *)PERL_GET_CONTEXT)#endif
#endif
Larry Wall is trying to kill me
□ And some more…
#ifndef PERL_GET_CONTEXT #define PERL_GET_CONTEXT ((void *)NULL)
#define PERL_GET_CONTEXT Perl_get_context()#define MEMBER_TO_FPTR(name) name
□ So, on conditional compilation expands to:
perl_get_context()->Tprotect((struct perl_thread *)Perl_get_context(), pcur_env, &ret, S_Vparse_body, env, xsinit);
You outsourced to the guy who wrote procmail didn’t you?!
□ If PERL_FLEXIBLE_EXCEPTIONS is not defined…
#define JMPENV_PUSH(v) JMPENV_PUSH_ENV(*(JMPENV*)pcur_env, v)
#define JMPENV_PUSH_ENV(ce, v) \STMT_START { \
if (!(ce).je_noset) { \DEBUG_1(Perl_deb(aTHX_ “Setting up jumplevel %p, was %p\
n”, \cl, PL_top_env)); \JMPENV_PUSH_INIT_ENV(ce, NULL) \EXCEPT_SET_ENV(ce, PerlProc_setjmp((ce).je_buf,
SCOPE_SAVES_SIGNAL_MASK)); \(ce).je_noset = 1; \
} \else \
EXCEPT_SET_ENV(ce, 0); \JMPENV_POST_CATCH_ENV(ce); \(v) = EXCEPT_GET_ENV(ce); \
} STMT_END
sigh
□ Does do { […] } while(0) not work somewhere??
#if defined(__GNUC__) && !defined(PERL_GCC_BRACE_GROUPS_FORBIDDEN) && !defined (__cplusplus)#define STMT_START (void) {#define STMT_END }
#else#if (VOIDFLAGS) && (defined(sun) || defined(__sun__)) && !defined(__GNUC__)
#define STMT_START if (1)#define STMT_END else (void)0
#else #define STMT_START do#define STMT_END while (0)
#endif#endif
…
□ We’re just gonna skip expanding Debug_1() and guess that it probably deals with debugging output…
#define JMPENV_PUSH_INIT_ENV(ce, THROWFUNC) \STMT_START { \
(ce).je_throw = (THROWFUNC); \(ce).je_ret = -1; \(ce).je_mustcatch = FALSE; \(ce).je_prev = PL_top_env; \PL_TOP_env = &(ce); \OP_REG_TO_MEM; \
} STMT_END
#define PL_top_env (aTHX->Ttop_env)
#ifdef OP_IN_REGISTER#define OP_REG_TO_MEM PL_opsave = op[…]#else#define OP_REG_TO_MEM NOOP#define PL_opsave (aTHX->Top_save)
Anyone wanna bet how many slides it takes to explain one line of PERL?
□ Almost there …
#define EXCEPT_SET_ENV(ce, v) ((ce).je_ret = (v))
#define JMPENV_POST_CATCH_ENV(ce) \STMT_START { \
OP_MEM_TO_REG; \PL_top_env = &(ce); \
} STMT_END
#define EXCEPT_GET_ENV(ce) ((ce).je_ret)
Huzzah! One line expanded!
□ seven slides later..□ Two of over a dozen possible conditional
compilations were explored□ We’ve successfully decoded *one line* of perl□ Except we haven’t, now we have to find out
where the function pointers get initialized…□ And of course, discover where the heck op came
from□ I don’t think an hour is long enough to cover just
PERL, much less PERL and Python
0xbadc0ded□ Undisclosed & unpatched
do { i_img *im = read_one_tiff(tif, 0); if (!im) break; if (++*count > result_alloc) { if (result_alloc == 0) { result_alloc = 5; results = mymalloc(result_alloc * sizeof(i_img *)); } else { i_img **newresults; result_alloc *= 2; newresults = myrealloc(results, result_alloc * sizeof(i_img *)); if (!newresults) { i_img_destroy(im); /* don't leak it */ break; } results = newresults; } } results[*count-1] = im; } while (TIFFSetDirectory(tif, ++dirnum));
0xbadc0ded
□ Undisclosed & unpatched
static i_img *read_one_rgb_tiled(TIFF *tif, int width, int height, int allow_incomplete) {
[...] uint32* raster = NULL;
[...] uint32 tile_width, tile_height;
i_color *line;
[...] TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tile_width); TIFFGetField(tif, TIFFTAG_TILELENGTH, &tile_height);
[...]
raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));[...]
line = mymalloc(tile_width * sizeof(i_color));
for( row = 0; row < height; row += tile_height ) { for( col = 0; col < width; col += tile_width ) {
/* Read the tile into an RGBA array */ if (myTIFFReadRGBATile(&img, col, row, raster)) {
[...]
0xbadc0ded
□ Undisclosed & unpatched
i_img *read_one_rgb_lines(TIFF *tif, int width, int height, int allow_incomplete) {
i_img *im; uint32* raster = NULL; uint32 rowsperstrip, row; i_color *line_buf; int alpha_chan; int rc;
im = make_rgb(tif, width, height, &alpha_chan);[...]
rc = TIFFGetField(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);[...]
raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));[...]
line_buf = mymalloc(sizeof(i_color) * width);
for( row = 0; row < height; row += rowsperstrip ) { uint32 newrows, i_row;
if (!TIFFReadRGBAStrip(tif, row, raster)) {
