The proficiency to unravel the complexities of a target software is called reverse engineering or just reversing. Software attackers manipulate or break the target program functionality in an unusual way resorting to some special tools often users. This article is discussing how a security bug for instance, ‘Format String’ can be spotted without source and furthermore, exploited by hackers by understanding or auditing disassembled code of the binary. However, the binary using in this article would be bug-free altogether.
To uncover format string or any other bugs without source code access, is typically consider to be decompilation process of a software which enables to evaluate the flow of a program written in Assembly languages, as well as manipulating the default program behavior (PE files) resorting to couple of advanced tools like as IDA Pro, Immunity Debugger, Hex coder etc. Finally, the FileOpen.exe utility on the ground that articles drafted is entitled to perform the lab exercise.
Reversing is the process of creating a blueprint of software to understand its behavior which involves technical knowledge such as its routine, internals architecture, and its construction. White box testing, the part of Reversing, used to search throughout the software code seeing for certain insecure coding practice, and the code can be traced backward to spot how a hacker could call into that code. As an exercise, we explore FileOpen.exe utility for Format String Vulnerability which typically opens up the contents of a text file at the command prompt. If we have the source code, a common way to find security vulnerability is to search for misused methods. As an analogy, let’s consider that we are apparently unknown which programming language that utility is written and compiled to. Instead, we just have the executable and suspect it to be inbuilt format string bug. The following screenshot simply displaying the contents of a .txt file as following:
Figure 1: Demo.txt file output
To ensure the security of software, source code often keeps private. But if you don’t have access to source code of software on the other hand, how do figure out which function creating problem indeed. Even without source, we could still perform code analysis by identifying essentials function using advance decompilation tools. Because disassemblers recognize the assembly instructions that make up these functions. Thus, we can disassemble the binary to apprehend better whether or how such function is being employed. The following section shows how to spot Format String bug without access to source code.
First load or disassemble the binary FileOpen.exe using IDA Pro tool to identifying the commonly responsible functions printf and strcpy for Format String Bug. Once the IDA code auto-analysis is finished, you can distinguish such dangerous function using Function Windows.
Figure 2: IDA Name view
Identifying Unsafe Methods
Since format string attack usually executed by manipulating parameters of printf method. For a detailed analysis of this bug, refer to this article http://resources.infosecinstitute.com/format-string-bug-exploration. Thus, it is required to investigate any unsafe calling in any manner of this method. Hence, double click on the line 0x00401149 in figure 3 as following:
Figure 3: IDA Function view
This act moves on to disassembly window on the line 00401149 where we shall be confronted with lots of assembly code as following:
Figure 4: IDA Function view
If a reverse engineer could anyhow control the szVariable of printf method, then he could successfully fulfill his intention as the second variable is usually vulnerable to this bug. Later on, press CTRL + X on the line where the cursor is repeatedly blinking in figure 4. Then, the cross reference (XREFS) windows would appear along with the list of numerous calls to the printf method as following:
Figure 5: Calls to printf method
Now, double click on the selected row in figure 5 (However, that procedure shall be repeated in the forthcoming section), the IDA Pro yields the first place printf is called with only one parameter because only one PUSH operation comes before making this call, consider the following output as:
Figure 6: printf calling place
Hackers can’t control or manipulate constant string used in the program. In figure 6, the constant string “Could not…” is being pushed onto stack as you can ensure that it is from a read-only segment by pressing SHIFT + F7 as following:
Figure 7: Segment table for Read-only checking
Further, repeat the same earlier process to view the second call of printf method. It is similar to the first step yet again where constant string is being used as following
Figure 8: second calling of printf method
Ethical Hacking Training – Resources (InfoSec)
The third call is a little bit different, as there are two PUSH before the call to printf method. Here, the second PUSH is indicating the first parameter of printf method, as the parameter is formatted with %s in the first parameter as following:
Figure 9: third calling of printf method
The fourth and fifth call to printf method don’t show anything special, finally in the sixth call too:it doesn’t appear to be a constant string. So, it is literally proved that this code is not vulnerable to Format String Bug:
Figure 10: sixth calling of printf method
Furthermore, you could check it by yourself by supplying some irrelevant or rouge argument during input to exploit format string bug as hackers typically perform, but we haven’t observed any bizarre output as following:
Reversing performs to obtain all the code details of a binary for both offensive and defensive intention. It is a good idea to perform black hat reversing operation by your own, to ensure the security of your product before launching it. As through this paper, it is not necessary to have the entire source code or symbol to perform an analysis of suspicious method, regarding detecting vulnerability of a binary. In this article, we have duly confirmed about the freeness of this executable bygone through all the printf methods to spot format string bug owing to IDA Pro disassembled the code.