How to find vulnerabilities in stripped binaries?
Do you just use tools like strace and a debugger to disassemble and find syscalls and then read the disassembly to find say for example a buffer overflow? Is that all you can do? I mean after all you don't have the source code.
If someone could shed some light on this particular topic I would be very grateful. Thank you. |
I'm curious what do you do if you find syscalls? Do you just not use those binaries, or contact the provider if you can?
|
I meant for example, finding a buffer overflow via memcpy.or someting similar.
|
Quote:
Not sure that finding memcpy or memmove commands or similar will give you enough insight. That's also not necessarily a security vulnerability, just code with a bug in it. Correct? |
Well, if you can tell by inserting strings of different lengths, you could find these calls in memcpy first, and verify.
|
Quote:
You have a binary executable, it does what it does and you have no idea what code is intended to perform. Once again you could be looking at uninitialized data and technically find all or part of a valid command. You have no idea if a particular code path will absolutely be executed. In fact, some code may never be used, or rarely be used. Either case, the limits for the addresses, contents, and length of the copy are entirely unknown to you. For instance when copying a new update out from a file system, like updating firmware, let's say the firmware is 512K long. How would you know? How would you know the address it goes too? How would you know the address it comes from, especially since it's probably a pointer to a temporarily mounted file system? Further, in doing something like an upgrade, I might copy it to a scratch location to perform an MD5 or other checksum on it, or I might be receiving it from a network location, thus same thing I'd be storing it maybe to a RAM table or other location prior to storing it into a NV location. Either case, you have no idea what the addresses are, they are references, not hard coded addresses usually. |
|
Quote:
|
So, Im wrong then in thinking you can load a program in the debugger, and trigger memcpy calls, to see if they overflow?
|
Fuzzing is basically what I'm talking about. Am I on the right track with that or no?
I was under the mpression I could spot a stack buffer overflow in disassembly in a debugger. At least I thought so anyway. |
Quote:
Quote:
Quote:
|
I looked at american fuzz lop, many of these programs seem like they have a steep learning curve. Any advice?
But can someone confirm for me whether you can spot a buffer overflow in a debugger in disassembly? |
Quote:
Quote:
|
@ntubski Good points.
@rtmistler Could describe what you mean by uninitialized memory? To elaborate further, I've read about virtual address space, and kernel address space. I've also read about Position-independent code. My other question is, What is the difference between the memory referenced in objdump and the memory referenced in a debugger or even just at run-time? |
Uninitialized memory is memory which doesn't have any particular data in it, was not specifically cleared, or set to a particular pattern. Thus the contents are usually random, or also remnants from other prior use.
|
All times are GMT -5. The time now is 10:52 AM. |