Reverse engineering

Reversing Binary: Spotting Bug without Source Code

AJ Kumar
September 27, 2016 by
AJ Kumar

Abstract

The proficiency to unravel the complexities of a target software is called reverse engineering or just reversing. Software attackers manipulate or break the target program functionality in an unusual way resorting to some special tools often users. This article is discussing how a security bug for instance, 'Format String' can be spotted without source and furthermore, exploited by hackers by understanding or auditing disassembled code of the binary. However, the binary using in this article would be bug-free altogether.

Essentials

To uncover format string or any other bugs without source code access, is typically consider to be decompilation process of a software which enables to evaluate the flow of a program written in Assembly languages, as well as manipulating the default program behavior (PE files) resorting to couple of advanced tools like as IDA Pro, Immunity Debugger, Hex coder etc. Finally, the FileOpen.exe utility on the ground that articles drafted is entitled to perform the lab exercise.

Binary Analysis

Reversing is the process of creating a blueprint of software to understand its behavior which involves technical knowledge such as its routine, internals architecture, and its construction. White box testing, the part of Reversing, used to search throughout the software code seeing for certain insecure coding practice, and the code can be traced backward to spot how a hacker could call into that code. As an exercise, we explore FileOpen.exe utility for Format String Vulnerability which typically opens up the contents of a text file at the command prompt. If we have the source code, a common way to find security vulnerability is to search for misused methods. As an analogy, let's consider that we are apparently unknown which programming language that utility is written and compiled to. Instead, we just have the executable and suspect it to be inbuilt format string bug. The following screenshot simply displaying the contents of a .txt file as following:

Figure 1: Demo.txt file output

Identifying Flaws

To ensure the security of software, source code often keeps private. But if you don't have access to source code of software on the other hand, how do figure out which function creating problem indeed. Even without source, we could still perform code analysis by identifying essentials function using advance decompilation tools. Because disassemblers recognize the assembly instructions that make up these functions. Thus, we can disassemble the binary to apprehend better whether or how such function is being employed. The following section shows how to spot Format String bug without access to source code.

First load or disassemble the binary FileOpen.exe using IDA Pro tool to identifying the commonly responsible functions printf and strcpy for Format String Bug. Once the IDA code auto-analysis is finished, you can distinguish such dangerous function using Function Windows.

Figure 2: IDA Name view

Identifying Unsafe Methods

Since format string attack usually executed by manipulating parameters of printf method. For a detailed analysis of this bug, refer to this article https://resources.infosecinstitute.com/format-string-bug-exploration. Thus, it is required to investigate any unsafe calling in any manner of this method. Hence, double click on the line 0x00401149 in figure 3 as following:

Figure 3: IDA Function view

This act moves on to disassembly window on the line 00401149 where we shall be confronted with lots of assembly code as following:

Figure 4: IDA Function view

If a reverse engineer could anyhow control the szVariable of printf method, then he could successfully fulfill his intention as the second variable is usually vulnerable to this bug. Later on, press CTRL + X on the line where the cursor is repeatedly blinking in figure 4. Then, the cross reference (XREFS) windows would appear along with the list of numerous calls to the printf method as following:

Figure 5: Calls to printf method

Now, double click on the selected row in figure 5 (However, that procedure shall be repeated in the forthcoming section), the IDA Pro yields the first place printf is called with only one parameter because only one PUSH operation comes before making this call, consider the following output as:

Figure 6: printf calling place

Hackers can't control or manipulate constant string used in the program. In figure 6, the constant string "Could not…" is being pushed onto stack as you can ensure that it is from a read-only segment by pressing SHIFT + F7 as following:

Figure 7: Segment table for Read-only checking

Further, repeat the same earlier process to view the second call of printf method. It is similar to the first step yet again where constant string is being used as following

Figure 8: second calling of printf method

The third call is a little bit different, as there are two PUSH before the call to printf method. Here, the second PUSH is indicating the first parameter of printf method, as the parameter is formatted with %s in the first parameter as following:

Figure 9: third calling of printf method

The fourth and fifth call to printf method don't show anything special, finally in the sixth call too:it doesn't appear to be a constant string. So, it is literally proved that this code is not vulnerable to Format String Bug:

Figure 10: sixth calling of printf method

Furthermore, you could check it by yourself by supplying some irrelevant or rouge argument during input to exploit format string bug as hackers typically perform, but we haven't observed any bizarre output as following:

Conclusion

Reversing performs to obtain all the code details of a binary for both offensive and defensive intention. It is a good idea to perform black hat reversing operation by your own, to ensure the security of your product before launching it. As through this paper, it is not necessary to have the entire source code or symbol to perform an analysis of suspicious method, regarding detecting vulnerability of a binary. In this article, we have duly confirmed about the freeness of this executable bygone through all the printf methods to spot format string bug owing to IDA Pro disassembled the code.

References

[1] http://www.openrce.org

[2] http://www.pravaraengg.org.in/Download/MA/assembly_tutorial.pdf

[3] http://reversingproject.info/?page_id=108

[4] http://securityaffairs.co/wordpress/46606/hacking/software-reverse-engineering-process-basics.html

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

[5] https://resources.infosecinstitute.com/format-string-bug-exploration/

AJ Kumar
AJ Kumar

AJ Kumar is a Cyber security evangelist, has a great passion for open source programming, IT security, bug detection, penetration testing, and assembly language on diverse platforms including Windows and Linux. He can be reached via ajkumarhv[at]gmail[dot]com;