Exploit ...... 2 Running the Exploit ...... 2 Questions to be Explored ...... 2 Can the exploit run under Systrace? ...... 3 What is “normal” user behaviour for gawk? ...... 4 Which of the “normal” behaviour options provide additional system calls/change in the policy file? 5 What are the most frequently used system calls, based on normal user behaviour? ...... 6 Does the policy depend on the contents of the file? Does the policy depend on the name of the file? ...... 8 Does running the exploit violate “normal” user behaviour? ...... 10
Testing the GNU Awk Exploit 1 Exploit GNU Awk (gawk) is a pattern scanning and processing language and implementation of the AWK programming language. An exploitable stack overflow has been found in the product that allows attackers to execute arbitrary code by overflowing its internal buffers. The vulnerable version is 3.1.0.
Running the Exploit Running the exploit is fairly simply:
1. Simply run gcc -o gawk gawk_expl.c 2. Execute ./gawk
Questions to be Explored
1. Can the exploit run under Systrace?
2. What is “normal” user behaviour for gawk?
3. Which of the “normal” behaviour options provide additional system calls/change in the policy file?
4. What are the most frequently used system calls, based on normal user behaviour?
5. Does the policy depend on the contents of the file?
6. Does the policy depend on the name of the file?
7. Does running the exploit violate “normal” user behaviour?
8. What is the mapping between this anomaly rate and that of Systrace’s binary output?
Testing the GNU Awk Exploit 2 Can the exploit run under Systrace?
Running the Exploit Under Regular Policy Behaviour Policy File Name Generated systrace –A gawk usr_local_bin_gawk systrace –A ./gawk bin_gawk & home_nbodorik_gawk (deleted) systrace –A /bin/gawk bin_gawk systrace –A ./gawk bin_gawk policy added to (deleted) systrace –A /bin/gawk bin_gawk systrace –a ./gawk exploit not run & seven violations logged Conclusion The exploit can be properly run and executed under the IDS
Testing the GNU Awk Exploit 3 What is “normal” user behaviour for gawk?
Regular Application Behaviour Option Parameter Use -F FS Use the parameter for the input field separator -f PROGRAM-FILE Read the source code from the file specified in the parameter -v VAR=VAL Assign the variable the specified value before program execution --traditional Use compatibility mode or --compat traditional mode --lint Give warnings about dubious or non-portable constructs --posix Use POSIX compatibility mode --re-interval Allow interval expressions in regular expressions --source PROGRAM-TEXT Use the text specified in the parameter as the source -- Signal the end of options INPUT-FILE If no input file is specified, than it is applied to the standard input Basic Function pattern {action} The purpose of gawk is to search a file for specific patterns, based on the pattern, and then some action will be performed.
Testing the GNU Awk Exploit 4 Which of the “normal” behaviour options provide additional system calls/change in the policy file?
Options System Calls Testing Original Policy Generation: systrace -A gawk -f Program3 Behaviour Additional Policy Generation -F G -v x=2 --compat -W copyleft (--copyleft) -W help (--help) --lint linux-getuid: permit linux-geteuid: permit --source=”{print $1}” --version With errors in Program using -f linux-fsread: filename eq "/usr/lib/gconv/gconv- modules.cache" then permit Conclusions: The --lint option provides additional system calls, as well as when the program is run with a program that has errors in it
Testing the GNU Awk Exploit 5 What are the most frequently used system calls, based on normal user behaviour?
System Call Frequency Tested On: strace -S calls -o frequency -c gawk -f Program -- Hours Program Contents: {print $1 $2} System Call Calls % Time fstat64 13 1.26 old_mmap 10 1.96 open 8 3.23 read 7 2.53 close 7 0.77 brk 7 0.77 write 6 85.82 ioctl 4 0.56 rt_sigaction 3 0.35 Conclusions: Of the top nine system calls, the write system call accounts for a majority of the system call time. However, between all three system call frequency runs, the times would fluctuate and the write system call didn't consistently hold the majority of the time, however it was seen in each of the tests.
Testing the GNU Awk Exploit 6 System Call Frequency Tested On: strace -S calls -o frequency2 -c gawk -f Program2 -- Hours Program Contents: {print "Employee name: " $1 "\t\tPay: " $2} { if ( $1 == "Amber" ) {"Amber worked " $3 " hours"} if ( $1 == "Bob" ) {print "Bob worked " $3 " hours"} else {print "Employee named " $1 " worked " $3 " hours"} } System Call Calls % Time fstat64 13 0.64 write 12 82.07 old_mmap 10 0.61 brk 9 1.58 open 8 0.93 read 7 2.03 close 7 0.2 ioctl 4 0.1 rt_sigaction 3 0.11 Conclusions: In both, there are a total of 15 system calls executed. Of the 15 system calls, more than 85% had no changes in the number of calls made (fstat64, oldmmap, open, read, close, ioctl, rt_sigaction, munmap, _llseek, mmap2, fcntl64, uname & set_thread_area). The two system calls which had a change in the number of calls made was write and brk. This test was run more than 20 times, and although obvious and expected changes in the timing of the calls, the number of calls was consistent.
Testing the GNU Awk Exploit 7 Does the policy depend on the contents of the file? Does the policy depend on the name of the file?
System Call Frequency Tested On: strace -S calls -o frequency -c gawk -f Program -- Hours Program Contents: The following was added to the Program BEGIN{x = 0} { if ($3 == 0) {x = x+1} } END{print x " people didn't work this week"} System Call Calls % Time write 13 95.34 fstat64 13 1.13 old_mmap 10 0.5 brk 9 0.22 open 8 0.95 read 7 0.68 close 7 0.21 ioctl 4 0.13 rt_sigaction 3 0.1 Conclusions: In conclusion, it seems that the system calls executed by GAwk are generally consistent, and remain the same not depending on the contents of the file. However, these were basic functions of the file, so this might not be the case in complex program files.
Testing the GNU Awk Exploit 8 File Name and File Contents Testing Restarting Syslog: /etc/init.d/syslog restart Trained Enforced Logged Errors Program2, Hours Program2, Hours Jun 8 12:24:03 NatashaBodorik kernel: application bug: systrace(4622) has SIGCHLD Note: 13 out of 100 set to SIG_IGN but calls wait(). (13%) produced the following error Jun 8 12:24:03 NatashaBodorik kernel: (see the NOTES section of 'man 2 wait'). Workaround activated. Program2, Hours Program3, Hours Jun 8 12:21:00 NatashaBodorik systrace: deny user: nbodorik, prog: /usr/local/bin/gawk, pid: 4579(0)[0], policy: /usr/local/bin/gawk, filters: 23, syscall: linux-fsread(5), filename: /home/nbodorik/Program3 Jun 8 12:21:00 NatashaBodorik systrace: deny user: nbodorik, prog: /usr/local/bin/gawk, pid: 4579(0)[0], policy: /usr/local/bin/gawk, filters: 23, syscall: linux-fsread(5), filename: /usr/local/share/Program3 Jun 8 12:21:00 NatashaBodorik systrace: deny user: nbodorik, prog: /usr/local/bin/gawk, pid: 4579(0)[0], policy: /usr/local/bin/gawk, filters: 23, syscall: linux-fsread(5), filename: /home/nbodorik/Program3 Program2, Hours Program2, Hours Note: The program has the same name, but different contents Program 2, Hours Program2, Hours2 Program2:7: fatal: cannot open file 'Hours2' for reading (Operation not Note: The text file permitted) has the same contents but it has a Jun 8 13:59:18 NatashaBodorik systrace: deny user: nbodorik, prog: different name /usr/local/bin/gawk, pid: 5194(0)[0], policy: /usr/local/bin/gawk, filters: 23, syscall: linux-fsread(5), filename: /home/nbodorik/Hours2
Conclusions: As seen in the System Call Frequency test, there are no additional system calls depending on the contents of the file. However, the purpose of this test was to see whether these system calls had parameter constraints which Systrace would pick up on. In this testing, it is concluded that it depends on the name of the file, however the contents of the file doesn't create logged errors. In addition, it depends on the name of the text filename but it doesn't depend on the contents.
Testing the GNU Awk Exploit 9 Does running the exploit violate “normal” user behaviour?
Exploit Testing Policy Used Logged Errors systrace -A /bin/gawk –-lint -f Jun 8 13:52:42 NatashaBodorik Program3 -- Hours systrace: deny user: nbodorik, prog: /home/nbodorik/gawk, pid: 5150(0)[0], policy: /home/nbodorik/gawk, filters: 0, syscall: linux-newuname(122), args: 68 Jun 8 13:52:42 NatashaBodorik systrace: deny user: nbodorik, prog: /home/nbodorik/gawk, pid: 5150(0)[0], policy: /home/nbodorik/gawk, filters: 0, syscall: linux-fsread(5), filename: /proc/sys/kernel/osrelease Jun 8 13:52:42 NatashaBodorik systrace: deny user: nbodorik, prog: /home/nbodorik/gawk, pid: 5150(0)[0], policy: /home/nbodorik/gawk, filters: 0, syscall: linux-writev(146), args: 68 Jun 8 13:52:42 NatashaBodorik systrace: deny user: nbodorik, prog: /home/nbodorik/gawk, pid: 5150(0)[0], policy: /home/nbodorik/gawk, filters: 0, syscall: linux-exit_group(252), args: 68 Jun 8 13:52:42 NatashaBodorik systrace: deny user: nbodorik, prog: /home/nbodorik/gawk, pid: 5150(0)[0], policy: /home/nbodorik/gawk, filters: 0, syscall: linux-ni_syscall-1exit(1), args: 68 Conclusions: The exploit violates normal user behavior and presents five logged errors.
Testing the GNU Awk Exploit 10 Exploit System Call Frequency Tested On: strace -S calls -o exploitfrequency -c ./gawk System Call Calls % Time open 25 30.12 old_mmap 15 8.95 brk 14 3.28 fstat64 12 3.4 write 8 7.47 close 8 3.28 read 6 7.59 munmap 3 3.17 Foreign System Calls getgroups32, execve Conclusions: There are two system calls which are foreign (or not seen in the “normal” behaviour) as described above. This would mean that no matter what the vulnerability analysis tool did, it would not be able to execute a pattern of system calls that would allow the exploit to run, however it could still decrease the anomaly rate. Again, the system call tests were only done on simple instances and it may be that additional functionality of the application could provide a policy addition (additional system calls) which allows these system calls.
Testing the GNU Awk Exploit 11