Buffer overflow introduction
"Buffer overflow" (sometimes called buffer overrun) attacks are designed to trigger arbitrary code execution by a program by sending it more data than it is supposed to receive.
Programs that accept parameterized input data temporarily store them in a region of memory called a buffer). But some read functions, such as strcpy() functions from the C language, cannot manage this type of overflow and cause the application to crash, which can lead to arbitrary code execution and open access to the system.
The implementation of this type of attack is extremely complicated as it requires in-depth knowledge of program and processor architecture. However, there are various expoits capable of automating this type of attack and making it accessible to quasi-novices.
The operating principle of a buffer overflow is closely related to the architecture of the processor on which the vulnerable application is executed.
Data entered in an application are stored in random access memory in a region called a buffer. A correctly designed program should stipulate a maximum size for input data and make sure the input data do not exceed this value.
The instructions and data of a running program are temporarily stored adjacently in memory in a region called a stack). The data located after the buffer contain a return address (called an instruction pointer) that lets the program continue its run-time. If the size of the data is greater than the size of the buffer, the return address is overwritten and the program will read an invalid memory address generating a segmentation fault in the application.
A hacker with strong technical knowledge can make sure the overwritten memory address corresponds to an actual address, for example located in the buffer itself. As such, by writing instructions in the buffer (arbitrary code), it is easy for him to execute it.
It is therefore possible to include instructions in the buffer that open a command interpreter (a shell) and make it possible for the hacker to take control of the system. This arbitrary code that makes it possible to execute the shell is called a shellcode.
Protecting yourself from a Buffer overflow
To protect yourself from this type of attack, it is important to develop applications using advanced programming languages, guaranteeing precise management of allocated memory, or using low level language with secure function libraries (for example, strncpy() functions).
Alert bulletins are published on a regular basis, announcing certain applications' vulnerability to buff overflow attacks. After the appearance of these alert bulletins, software publishers affected by the vulnerability generally publish patchs that can correct the flaw. All system and network adminstrators should keep informed of security alerts and apply patches as quickly as possible.
- Smashing The Stack For Fun And Profit, article written by Aleph One in the magazine Phrack