Buffer Overflow

What is Buffer Overflow

Pushing data more than the capacity of a buffer

buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.

For example: - strcpy(target_buffer, large_string) - printf(str_ptr)

Buffer overflow types

Stack overflow Heap overflow Of By One overflow Function pointers Integer overflow Format string overflow Unicode overflow

Important note

WebApplications written in PHP, C#, VB, VB.NET, ASP.NET, Ruby-on-rails, server-side javascript and JSP are managed applications, and are not succeptable to memory corruption vulnerabilities such as stack buffer overflows or heap buffer overflows caused by bad web-application code

Buffer overflows tend to be the preserve of C/C++ applications, although other less common native languages such as Dephi and Fortran are also susceptible(unmanaged code)

Stack Buffer Overflow Example(first generetion)

For example, the following program declares a buffer that is 256 bytes long. However, the program attempts to fill it with 512 bytes of the letter “A” (0x41).

int i;void function(void){

char buffer[256]; // create a bufferfor(i=0;i<512;i++) // iterate 512 timesbuffer[i]=‘A’; // copy the letter A

}

Heap Buffer Overflow(Second Generation Exploits)

Here is a sample program with a heap overflow. The program dynamically allocates memory for two buffers. One buffer is filled with “A”s. The other one is taken in from the command line. If one types too many characters on the command line, an overflow will occur.

#include <stdio.h>#include <stdio.h>#include <stdlib.h>#include <string.h>void main(int argc, char **argv){

char *buffer = (char *) malloc(16);char *input = (char *) malloc(16);strcpy(buffer,"AAAAAAAAAAAAAAA");// Use a non-bounds checked functionstrcpy(input,argv[1]);printf(“%s”,buffer);

}

Off by One Attack(Second Generation Exploits)

The C language starts array indices at zero, which is not always intuitive for beginning programmers

This often leads to off-by-one errors in code that fills a buffer#include <stdio.h>int i;void vuln(char *foobar){

char buffer [512];for (i=0;i<=512;i++)buffer[i]=foobar[i];

}void main(int argc, char *argv[]){

if (argc==2)vuln(argv[1]);

}

How much damage could a one-byte exploit cause?

Function Pointers(second generation exploits)

Another second generation overflow involves function pointers. A function pointer occurs mainly when callbacks occur. If, in memory, a function pointer follows a buffer, there is the possibility to overwrite the function pointer if the buffer is unchecked. Here is a simple example of such code:#include <stdio.h>#include <stdlib.h>#include <string.h>int CallBack(const char *szTemp){

printf(“CallBack(%s)\n”, szTemp);Return 0;

}void main(int argc, char **argv){

static char buffer[16];static int (*funcptr)(const char *szTemp);funcptr = (int (*)(const char *szTemp))CallBack;strcpy(buffer, argv[1]); // unchecked buffer(int)(*funcptr)(argv[2]);

}

Format StringAttacks(Third Generation Exploits)

Format string vulnerabilities occur due to sloppy coding by software engineers. A variety of C language functions allow printing the characters to files, buffers, and the screen. These functions not only place values on the screen, but can format them as well.

Many C library functions produce formatted output using format strings (e.g. printf, fprintf, wprintf, sprintf, etc.)

These functions permit strings that have no format control to be printed (unfortunately):

char buffer[13] = “Hello, world!”;printf(buffer); /* Bad programmer! */printf(“%s”, buffer); /* Correct coding style */

The non-standard approach creates the possibility that an attacker will pass a format string rather than a string to print, which can be used to write to memory

Format String Attacks: Example

void vuln(char buffer[256]) {printf(buffer); /* Bad; good:printf(“%s”,buffer) */}int main(int argc, char *argv[]) {

char buffer[256] = “”; /* allocate buffer */if (2 == argc)strncpy(buffer, argv[1], 255);/* copy command line */vuln(buffer);return 0;

} If the user passes %X on the command line, then printf() will

receive a pointer to a string with “%X” in it on the stack Printf() will see the %X and assume there is another parameter

above it on the stack Whatever is above it on the stack will be printed in hexadecimal

Buffer overflow protection(Good coding style)

Use only the good form of printf(); never use printf(buffer) for any function in the printf family

Review loop bounds for off-by-one errors Avoid unsafe C functions (e.g. strcpy(), strcat(),

sprintf(), gets(), scanf()) and learn how to use alternatives (e.g. strncpy(), strncat(), snprintf())

Insert bounds checking code Avoid unsafe programming languages (C, C++)

and use more modern, safe languages wherever possible (Java, Ada, C# in managed mode)

Buffer overflow protection(Canaries in coal mines)

Canaries or canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will be the canary, and a failed verification of the canary data is therefore an alert of an overflow, which can then be handled, for example, by invalidating the corrupted data Terminator canaries-Terminator Canaries use the observation that

most buffer overflow attacks are based on certain string operations which end at terminators. The reaction to this observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known. Even with the protection, an attacker could potentially overwrite the canary with its known value, and control information with mismatched values, thus passing the canary check code, this latter being executed soon before the specific processor return-from-call instruction.

Buffer overflow protection(Canaries in coal mines [4] )

Random canaries are randomly generated, usually from an entropy-gathering daemon, in order to prevent an attacker from knowing their value. Usually, it is not logically possible or plausible to read the canary for exploiting; the canary is a secure value known only by those who need to know it—the buffer overflow protection code in this case. Normally, a random canary is generated at program initialization, and stored in a global variable. This variable is usually padded by unmapped pages, so that attempting to read it using any kinds of tricks that exploit bugs to read off RAM cause a segmentation fault, terminating the program. It may still be possible to read the canary, if the attacker knows where it is, or can get the program to read from the stack.

Random XOR canaries-Random XOR Canaries are Random Canaries that are XOR scrambled using all or part of the control data. In this way, once the canary or the control data is clobbered, the canary value is wrong. Random XOR Canaries have the same vulnerabilities as Random Canaries, except that the 'read from stack' method of getting the canary is a bit more complicated. The attacker must get the canary, the algorithm, and the control data to generate the original canary for re-encoding into the canary he needs to use to spoof the protection. In addition, Random XOR Canaries can protect against a certain type of attack involving overflowing a buffer in a structure into a pointer to change the pointer to point at a piece of control data. Because of the XOR encoding, the canary will be wrong if the control data or return value is changed. Because of the pointer, the control data or return value can be changed without overflowing over the canary.

Notable examples

1. The Ping of death(изпращане на прекалено голям ping пакет, който довеждаше до buffer overflow). Позволява да се сринат различни операционни системи, чрез изпращане на деформиран „пинг“ пакет от всяко място в интернет.

2. The Morris (Internet worm of November 2, 1988) worm spread in part by exploiting a stack buffer overflow in the Unix finger server. [6]

3. The Witty worm (2004) spread by exploiting a stack buffer overflow in the Internet Security Systems BlackICE Desktop Agent. The Witty worm is a computer worm that attacks the firewall and other computer security products written by a particular company, Internet Security Systems (ISS) now IBM Internet Security Systems.[7]

4. The Slammer worm (January 25, 2003) spread by exploiting a stack buffer overflow in Microsoft's SQL server. [8]

5. The Blaster worm spread by exploiting a stack buffer overflow in Microsoft DCOM service. The Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was a computer worm that spread on computers running the Microsoft operating systems Windows XP and Windows 2000, during August 2003. [9]

6. The Twilight hack was made for the Wii by giving a lengthy character name for the horse ('Epona') in The Legend of Zelda: Twilight Princess. This caused a stack buffer overflow, allowing arbitrary code to be run on an unmodified system.[10]

Referals

1. http://en.wikipedia.org/wiki/Buffer_overflow2. http://en.wikipedia.org/wiki/Stack_buffer_overflow3. http://en.wikipedia.org/wiki/Heap_overflow4. http://

en.wikipedia.org/wiki/Buffer_overflow_protection5. Blended Attacks Exploits, Vulnerabilities and

Buffer-Overflow Techniques in Computer Viruses-By Eric Chien and Péter Ször

6. http://en.wikipedia.org/wiki/Morris_worm7. http://en.wikipedia.org/wiki/Witty_worm8. http://en.wikipedia.org/wiki/SQL_Slammer9. http://en.wikipedia.org/wiki/Blaster_worm10. http://en.wikipedia.org/wiki/Twilight_hack