Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is a buffer overflow and how do I cause one?

I have heard about a buffer overflow and I would like to know how to cause one.

Can someone show me a small buffer overflow example? New(And what they are used for?)

like image 344
H4cKL0rD Avatar asked Feb 22 '09 02:02

H4cKL0rD


People also ask

What causes a buffer overflow it?

A buffer overflow occurs when data written to a buffer also corrupts data values in memory addresses adjacent to the destination buffer due to insufficient bounds checking. This can occur when copying data from one buffer to another without first checking that the data fits within the destination buffer.

What causes buffer overflow and how can we prevent it?

When the amount of allocated data exceeds the capacity of the buffer, the extra data will overflow -- hence the name buffer overflow. This may cause data to leak out into other buffers, which can then corrupt or overwrite their contents. In a buffer overflow attack, a malicious actor exploits vulnerable software.

What is buffer overflow meaning?

A buffer overflow occurs when a program or process attempts to write more data to a fixed-length block of memory, or buffer, than the buffer is allocated to hold. Buffers contain a defined amount of data; any extra data will overwrite data values in memory addresses adjacent to the destination buffer.

What is the most common buffer overflow attack?

Stack overflow attack - This is the most common type of buffer overflow attack and involves overflowing a buffer on the call stack*. Heap overflow attack - This type of attack targets data in the open memory pool known as the heap*.


2 Answers

Classical example of a buffer-overflow:

// noone will ever have the time to type more than 64 characters... char buf[64]; gets(buf); // let user put his name 

The buffer overflow alone does most often not happen purposely. It happens most often because of a so-called "off-by-one" error. Meaning you have mis-calculated the array-size by one - maybe because you forgot to account for a terminating null character, or because some other stuff.

But it can also be used for some evil stuff. Indeed, the user long knew this hole, and then inserts say 70 characters, with the last ones containing some special bytes which overwrite some stack-slot - if the user is really tricky he/she will hit the return-address slot in the stack, and overwrites it so it jumps forward into that just inserted buffer: Because what the user entered was not his name, but his shell-code that he previously compiled and dumped out. That one will then just executed. There are some problems. For example, you have to arrange not to have a "\n" in that binary code (because gets would stop reading there). For other ways that mess with dangerous string functions, the binary zero is problematic because string functions stop copying there to the buffer. People have used xor with two times the same value to produce a zero too, without writing a zero byte explicitly.

That's the classic way of doing it. But there are some security blocks that can tell that such things happened and other stuff that make the stack non-executable. But i guess there are way better tricks than i just explained. Some assembler guy could probably now tell you long stories about that :)

How to avoid it

Always use functions that take a maximal-length argument too, if you are not 100% sure that a buffer is really large enough. Don't play such games as "oh, the number will not exceed 5 characters" - it will fail some day. Remember that one rocket where scientists said that the number will not exceed some magnitude, because the rocket would never be that fast. But some day, it was actually faster, and what resulted was an integer overflow and the rocket crashed (it's about a bug in Ariane 5, one of the most expensive Computer bugs in history).

For example, instead of gets use fgets. And instead of sprintf use snprintf where suitable and available (or just the C++ style things like istream and stuff)

like image 86
Johannes Schaub - litb Avatar answered Nov 08 '22 03:11

Johannes Schaub - litb


A buffer overflow is basically when a crafted section (or buffer) of memory is written outside of its intended bounds. If an attacker can manage to make this happen from outside of a program it can cause security problems as it could potentially allow them to manipulate arbitrary memory locations, although many modern operating systems protect against the worst cases of this.

While both reading and writing outside of the intended bounds are generally considered a bad idea, the term "buffer overflow" is generally reserved for writing outside the bounds, as this can cause an attacker to easily modify the way your code runs. There is a good article on Wikipedia about buffer overflows and the various ways they can be used for exploits.

In terms of how you could program one yourself, it would be a simple matter of:

char a[4]; strcpy(a,"a string longer than 4 characters"); // write past end of buffer (buffer overflow) printf("%s\n",a[6]); // read past end of buffer (also not a good idea) 

Whether that compiles and what happens when it runs would probably depend on your operating system and compiler.

like image 29
David Dean Avatar answered Nov 08 '22 02:11

David Dean