Buffer overflow Vulnerability

AbdElsamie Bousba M02 RSI

Introduction:

Since the 80s, buffer overflow has been responsible for many severe attacks, yet we
are today unable to solve it once and for all, we will get to know this vulnerability and
its impacts and the prevention and mitigation of it.

Before buffer overflow:

These are must-knows concepts before diving into the world of buffer overflows

● Terms

Vulnerability Exploit Attack Payload

Definition A weakness in a A tool or A sequence of The malicious

system or network technique used events that component or code
that can be exploited to take uses an exploit delivered by an exploit
to gain unauthorized advantage of a to gain during a successful
access or cause vulnerability. unauthorized attack, achieving the
harm. access or cause goal.
harm.

Example A weak password, a A buffer A hacker using Malware installation,

software bug, a overflow attack, a buffer unauthorized access,
configuration error a SQL injection overflow exploit data theft
attack, a to gain access
cross-site to a system
scripting attack

Impact Can be exploited to Can be used to Can cause Varies based on the
gain unauthorized gain significant attacker's goals and the
access, cause data unauthorized damage to a nature of the payload
loss, or disrupt access, install system or
operations malware, or network
steal data

● Knows malware that uses buffer overflow Vulnerability

● Morris Worm (1988)

● WannaCry (2017)
 ● SQL Slammer ( 2003 )
● Heartbleed ( 2014 )
● WhatsApp VoIP ( 2019 )
● SigRed ( 2020 )
● Fortinet ( 2023 )

● How the CPU works and executes instructions

Figure1: the Fetch-Decode-Execute cycle

The Fetch-Decode-Execute cycle, a fundamental concept in computer architecture. Here's a

brief overview:

● Fetch:

- The CPU fetches the next instruction from the computer's memory. The instruction is
typically located at the address pointed to by the program counter (PC).
- The program counter is a register that keeps track of the memory address of the next
instruction to be executed.

● Decode:

- The fetched instruction is decoded to understand what operation needs to be

performed.
- The instruction is broken down into its opcode (operation code) and operands,
determining the nature of the operation to be executed.

● Execute:
 - The CPU carries out the decoded instruction by performing the specified operation.
This could involve arithmetic and logic operations, data transfers between registers
and memory, or control flow instructions.
- The result of the execution may be stored in registers, memory, or other designated
locations.

● What is the Stack and the Heap sections in RAM

Figure2: The stack Frame

● Stack section

The stack is a region of a computer's memory allocated for function calls and local
variables. It operates in a Last-In-First-Out (LIFO) manner, The stack manage function calls
and maintaining local variables during program execution, Each function call creates a new
stack frame, which includes information such as the function's parameters, local variables,
return address, and the state of certain registers.
In figure 2 we can take a look at the stack frame content. One of the most important pieces
of information in the stack frame is the return address ( EIP register ) which holds the
address of the next instruction to be executed. In the context of a stack frame, it is crucial
for managing the flow of program execution.

● Heap Section

The heap is another area of memory used for dynamic memory allocation during a program's
runtime. It is a region where the program can request and manage memory space
dynamically, unlike the stack, which operates in a more structured, last-in, first-out manner.

Buffer overflow Vulnerability

First, a “buffer” is anything that prevents two things from colliding, in the programming
context it is an intermediate, temporary storage area.
Buffer overflow: This vulnerability occurs when a program writes more data to a buffer than
it has been allocated.
Figure 3: Buffer overflow example
Buffer overflow types
Stack-Based Buffer Overflow
Location In a stack-based buffer overflow, the buffer
that is overflowed is located on the program's
call stack.
Cause Typically caused by improper input validation
and unchecked buffer lengths within
functions that handle user input.
Exploitation Attackers often overwrite the return address
or function pointers on the stack to redirect
the program's execution to a malicious
payload injected by the attacker.
Heap-Based Buffer Overflow
In a heap-based buffer overflow, the
buffer that is overflowed is located
in the heap, which is a region of
memory used for dynamic memory
allocation during a program's
runtime.
Typically occurs when dynamic
memory allocation functions (e.g.,
malloc) are not properly validated,
allowing an attacker to write more
data to a dynamically allocated
buffer than it can hold.
Attackers can manipulate the
memory allocation data structures
or overwrite function pointers
stored in the heap to execute
malicious code.
How to exploit Buffer overflow vulnerability

There is a methodology to exploit the buffer overflow vulnerability:

● Spiking:

Objective: To determine if a target application is vulnerable to buffer overflows.

Process: Send a series of specially crafted payloads (spikes) to the application, observing its
response for signs of vulnerability, such as crashes or unexpected behavior.
Outcome: Identifies potential areas of weakness in the application where further analysis is
warranted.

● Fuzzing:

Objective: To systematically test the application by inputting a large volume of random or

specially crafted data.
Process: Automate the process of input generation and monitor the application for
unexpected responses, crashes, or anomalies.
Outcome: Helps uncover vulnerabilities by putting the application under stress with a variety
of input scenarios.

● Finding Offset (Crash Replication & Controlling EIP):

Objective: Identify the exact point in the input where the application crashes and understand
the relationship between the input and the program's execution.
Process: Modify the input payload systematically and observe how the application responds
until a crash is replicated.
Outcome: Determines the offset, or the distance from the start of the input to the point of the
crash. Controlling the EIP (Extended Instruction Pointer) becomes crucial for crafting a
successful exploit.

● Finding Bad Characters:

Objective: Identify characters that may interfere with the payload or cause unintended
behavior.
Process: Send a series of payloads with different characters and observe which ones are
incorrectly processed or sanitized by the application.
Outcome: Establish a set of "bad characters" that should be avoided in the final payload.
Finding a Jump Point:
Objective: Identify a memory address (jump point) to redirect the program's execution to the
attacker's controlled payload.
Process: Analyze the application's code and libraries to find suitable memory addresses or
gadgets that can be used for redirection.
Outcome: Determines a point in the program's memory that can be leveraged to execute the
attacker's code.

● Generate Payload:

Objective: Create a payload that takes advantage of the identified vulnerability to execute
arbitrary code.
Process: Craft a payload that considers the identified offset, avoids bad characters, and
directs the program's execution to the chosen jump point.
Outcome: The payload is a piece of code designed to be injected into the vulnerable
application to exploit the buffer overflow.

● Exploit:

Objective: Execute the crafted payload to take control of the application or system.
Process: Inject the payload into the vulnerable application using the identified buffer
overflow, triggering the desired behavior.
Outcome: The attacker gains control over the application's execution, allowing for
unauthorized actions, data theft, or further compromise.

Prevention and mitigation of Buffer Overflows

Preventing and mitigating buffer overflows is crucial for maintaining the security of software
systems. Here are several strategies and best practices:

● What developer should do to prevent Buffer Overflows:

Input Validation and Bounds Checking:

Validate and sanitize all user input to ensure it adheres to expected data formats and
lengths.
Implement bounds checking to ensure that data written to buffers does not exceed the
allocated space.

Use Safe Programming Languages:

Choose programming languages that include built-in safety mechanisms, such as array
bounds checking. Languages like Rust and Java provide memory safety features that can
help prevent buffer overflows.
Secure Coding Practices:

Adhere to secure coding practices, including proper use of functions like strcpy_s, strncpy, or
snprintf instead of potentially unsafe counterparts like strcpy.
Avoid using unsafe functions and prefer safer alternatives that automatically handle buffer
sizes.

Compiler Security Flags:

Compile code with security flags provided by the compiler, such as those available in GCC
(-fstack-protector, -D_FORTIFY_SOURCE), to enhance protection against buffer overflows.

Use Memory-safe Libraries:

Utilize memory-safe libraries and functions that have built-in protections against buffer
overflows. For example, use the strncpy_s function instead of strcpy.

● What operation systems are doing to prevent and mitigate buffer overflows:

Address Space Layout Randomization (ASLR):

Utilize ASLR to randomize the memory addresses used by system and application
components, making it more challenging for attackers to predict the location of critical
structures.

Data Execution Prevention (DEP):

Enable DEP to prevent the execution of code in specific regions of memory, making it harder
for attackers to execute injected malicious code.

● What Intel is doing to prevent buffer overflows:

Intel Shadow Stack technology is a hardware-based security feature introduced in the

Sapphire Rapids generation of Xeon processors (launched in January 2023) that aims to
prevent certain types of cyberattacks, particularly those exploiting buffer overflows and
return-to-libc vulnerabilities.
References

https://www.fortinet.com/resources/cyberglossary/buffer-overflow

https://web.archive.org/web/20230303045438/https://manybutfinite.com/post/anatomy-of-
a-program-in-memory/

https://www.tenouk.com/ModuleW.html

https://www.spiceworks.com/it-security/application-security/articles/what-is-buffer-overflo
w-attack/

https://www.cobalt.io/blog/pentester-guide-to-exploiting-buffer-overflow-vulnerabilities