You are on page 1of 4

Buffer Overflow

What is buffer overflow?
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability. In July 2000, a vulnerability to buffer overflow attack was discovered in Microsoft Outlook and Outlook Express. A programming flaw made it possible for an attacker to compromise the integrity of the target computer by simply it sending an e-mail message. Unlike the typical e-mail virus, users could not protect themselves by not opening attached files; in fact, the user did not even have to open the message to enable the attack. The programs' message header mechanisms had a defect that made it possible for senders to overflow the area with extraneous data, which allowed them to execute whatever type of code they desired on the recipient's computers. Because the process was activated as soon as the recipient downloaded the message from the server, this type of buffer overflow attack was very difficult to defend. Microsoft has since created a patch to eliminate the vulnerability. Buffer overflows are a favorite exploit for hackers. The vast majority of Microsoft's available patches fix unchecked buffer problems -- but what about applications developed in-house? They are just as susceptible as commercial applications to buffer overflow attack. It is therefore critical that you understand how they work and perform vulnerability testing on your home-grown applications prior to deployment.

What is a buffer overflow attack?
A buffer overflow is an exploit that takes advantage of a program that is waiting on a user's input. There are two main types of buffer overflow attacks: stack based and heap based. Heap based attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. Stack-based buffer overflows are by far the most common and are the type I will focus on in this tip. In a stack-based buffer overrun, the program being exploited uses a memory object known as a stack to store user input. Normally, the stack is empty until the program requires user input. At that point, the program writes a return memory address to the stack and then the user's input is placed on top of it. When the stack is processed, the user's input gets sent to the return address specified by the program.

the malicious command will be executed. It then tries to recover by going to the return address. Avoid using library files included with the compiler Library files are commonly included with a programming language. but it becomes a huge security hole when combined with malicious input. if the address the hacker specifies falls anywhere within the padding. any application that includes that particular library file also has the weakness. for the longest time libraries offered a quick-and-easy way to accomplish a task with little regard for secure coding. To get around needing the actual address. Padding on both sides is a technique used when the exact memory range is unknown. Of course this means that the hacker must know the address where the malicious command will reside. a stack does not have an infinite potential size. This in itself isn't a huge problem. which tells the system to open a command prompt window. 2. the hacker would enter an executable command that exceeds the stack size. The programmer who develops the code must reserve a specific amount of space for the stack. then the stack will overflow. for instance. a type of pointer. Solution : 1. If a hacker finds a weakness with a particular library file. the program thinks it is still running. the command is typically EXEC("sh"). a dream come true for hackers looking for a buffer exploit. suppose a program is waiting for a user to enter his or her name. suppose your program is designed to accept 50 characters of text and add them to a database. he will often start by trying to exploit known weaknesses in commonly-used libraries.However. this often means that the attacker will gain full control of the operating system. The command is usually something short. Therefore. Libraries are also inherently insecure. For example. and are therefore run either in kernel mode or with permissions inherited from a service account. Generally speaking. the malicious command is often padded on both sides by NOP instructions. For example. Rather than enter the name. known as a root shell in Linux circles. Yet overflowing the buffer with an executable command doesn't mean that the command will be executed. . As you know. Although newer compilers are starting to include more securelywritten library files. The program partially crashes because the stack overflowed. This means that the command prompt window that has been opened is running with the same set of permissions as the application that was compromised. Executable programs typically require a higher level of permissions than the user who's currently logged on. but the return address has been changed to point to the command specified by the hacker. When a stack overflow attack runs the command found at the new return address. This was especially true of the C++ programming language. Programs coded in C++ that rely on the standard libraries are very susceptible to run-time errors. If the user's input is longer than the amount of space reserved for it within the stack. Qualify all user input To qualify all user input in home-grown applications. So if a hacker wants to exploit a home-grown application. In a Linux environment. The last part of the equation is the executable program's permissions. The attacker must then specify a return address that points to the malicious command. most modern operating systems have some sort of mechanism to control the access level of the user who's currently logged on. first make sure the input string is a valid length.

">". "`") strNewString = Replace(strNewString. Have a group of people go through the program with a fine-toothed comb and try to crash the program. the length of the string is compared against the maximum allowed input and truncated if necessary. const char *src) getwd(char *buf) May overflow the dest buffer May overflow the dest buffer May overflow the buf buffer . ASP wouldn't know what to do with the user's apostrophe. If you have done a good job coding the application. the standard C library is filled with a handful of very dangerous functions. "'". "``") The code above is used for an e-commerce Web site that I am currently developing.") strNewString = Replace(strNewString. chr(34). the command would fail because ASP requires apostrophes around the text being committed to the database. Filter potentially malicious input Filtering is another good defense technique. To prevent this from happening. strcpy(char *dest.") strNewString = Replace(strNewString. and who knows what will happen next. strNewString = Request. my code is searching the input string for an apostrophe and replacing it with the ` symbol. In ASP code. const char *src) strcat(char *dest. take a look at the ASP code below: 'Filter out HTML code. "<".Form("Review") strNewString = Replace(strNewString. To prevent users from embedding HTML code in their input. For example. Example : The C programming language does not perform automatic bounds checking on arrays or pointers as many other languages do. quotation mark and ampersand symbols are all reserved symbols. "& gt. For example. If the program does break. Have them try entering long strings or reserved characters. But you still need to thoroughly test any application prior to deployment. HTML code uses the < and > characters to designate an HTML tag.If the user enters 75 characters. apostrophes and quotation marks from the user's input. I am filtering out the greater than and less than sign. 4. "& amp. These reserved symbols can not be included within a user's input or they will cause the application to crash. "&". it's better to find out now than after the program has gone live. In addition. the apostrophe. The idea is to filter out HTML code and characters that may cause problems with the database. 3. then they have entered more text than the database record can accommodate. it should hold up to the abuse.") strNewString = Replace(strNewString. Test applications Qualifying and filtering user input goes a long way toward protecting you against buffer overrun attacks. User input should be designed so when a user enters a text string. "& lt. if someone used an apostrophe within a line of text that was to be committed to a database.

. int i=0.gets(char *s) [vf]scanf(const char *format. const char *format. #include <stdio. } int main() { char ch.) realpath(char *path.buffer). strcpy(newbuffer.h> void manipulate(char *buffer) { char newbuffer[80]..) May overflow the s buffer May overflow its arguments..buffer[4096]. .i). } . . The following example code contains a buffer overflow designed to overwrite the return address and skip the instruction immediately following the function call. manipulate(buffer). return 0. i=1. i=2. while ((buffer[i++] = getchar()) != '\n') {}. printf("The value of i is : %d\n". char resolved_path[]) [v]sprintf(char *str. May overflow the path buffer May overflow the str buffer..