| Buffer Overflow |
Article Index for Buffer |
Shopping Overflow |
Website Links For Buffer |
Information AboutBuffer Overflow |
| CATEGORIES ABOUT BUFFER OVERFLOW | |
| programming bugs | |
| security exploits | |
|
In Computer Security and Programming , a buffer overflow, or '''buffer overrun''', is a programming error which may result in a Memory access Exception and program termination, or in the event of the user being malicious, a possible breach of system security. A buffer Overflow is an Anomalous condition where a Process attempts to store Data beyond the boundaries of a fixed-length Buffer . The result is that the extra data overwrites adjacent Memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to Crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many Software Vulnerabilities and form the basis of many Exploits . Sufficient Bounds Checking by either the programmer, the Compiler or the Runtime can prevent buffer overflows. TECHNICAL DESCRIPTION A buffer overflow occurs when Data written to a buffer, due to insufficient Bounds Checking , corrupts data values in Memory Address es adjacent to the allocated buffer. Most commonly this occurs when copying Strings of Characters from one buffer to another. Basic example In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide. Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B: Although the programmer did not intend to change B at all, B's value has now been replaced by a number formed from part of the character string. In this example, on a Big-endian system that uses ASCII , "e" followed by a zero byte would become the number 25856. If B was the only other variable data item defined by the program, writing an even longer string that went past the end of B could cause an error such as a Segmentation Fault , terminating the process. EXPLOITATION The techniques to Exploit a buffer overflow vulnerability vary per Architecture , Operating System and memory region. For example, exploitation on the Heap (used for dynamically allocated memory) is very different from on the Call Stack . Stack-based exploitation See Also: Stack buffer overflow A technically inclined and malicious user may exploit stack-based buffer overflows to manipulate the program in one of several ways:
With a method called "Trampolining", if the address of the user-supplied data is unknown, but the location is stored in a register, then the return address can be overwritten with the address of an Opcode which will cause execution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause execution of user supplied data. The locations of suitable opcodes, or bytes in memory, can be found in DLLs or the executable itself. However the address of the opcode typically cannot contain any Null Character s and the locations of these opcodes can vary in their location between applications and versions of the operating system. The Metasploit Project is one such database of suitable opcodes, though only those found in the Windows operating system are listed.2 Stack-based buffer overflows are not to be confused with Stack Overflow s. Heap-based exploitation See Also: Heap overflow A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as Malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer. The Microsoft JPEG GDI+ vulnerability is a recent example of the danger a heap overflow can represent to a computer user.3 Barriers to exploitation Manipulation of the buffer which occurs before it is read or executed may lead to the failure of an exploitation attempt. These manipulations can mitigate the threat of exploitation, but may not make it impossible. Manipulations could include conversion to upper or lower case, removal of Metacharacters and filtering out of non- Alphanumeric strings. However, techniques exist to bypass these filters and manipulations; Alphanumeric Code , Polymorphic Code , Self-modifying Code and Return To Lib-C Attacks . The same methods can be used to avoid detection by Intrusion Detection System s. In some cases, including where code is converted into unicode,4 the threat of the vulnerability have been misrepresented by the disclosers as only Denial of Service when in fact the remote execution of arbitrary code is possible....... Practicalities of exploitation In real-world exploits there are a variety of issues which need to be overcome for exploits to operate reliably. Null bytes in addresses, variability in the location of shellcode, differences between different environments and various counter-measures in operation. Nop sled technique See Also: NOP slide |
|
|