Pure Binary

How Buffer-overflow attacks work?

Posted on January 19th, 2010 by Deepak

Just now I listened to a brdocast by MIT guy on Malware threats and I encountered an attack technique known as Buffer Overflow Attack. I had heard about this attack before but to know how it works I did some research. I am posting what I understood and perhaps you will like it.

Buffer overflow is one of the most common attack techniques used by hackers. Most importantly it is often undetectable, and above that, most of the home build programs or code are vulnerable to such threats. I can gaurantee that all the codes that you wrote since your school and all the applications you build till date is vulnearable to buffer overflow attack. Code wriiten in unsafe languages such as C++ are more prone to such threats. Infact these days buffer overflows are a favorite exploit for hackers. You will be surprised to know that the vast majority of patches that Microsoft releases oftten in its updates actually fix unchecked buffer problems. However the applications developed in our house just as susceptible as commercial applications to buffer-overflow attack. And this is the only reason why freewares are not accepted as standard software in IT firms.

A buffer overflow takes advantage of a program that is waiting on a user’s input. Buffer overflow attacks can of two types – first is stack based and the other is heap based. Heap is nothing but a free pool of memory used by compilers to dynamically allocate the memory to running program. Heap-based attack basically flood the memory space reserved for a program, however this attack is rare due to the complexity involved. On the other hand stack-based buffer overflow is much easier and often used.

I could explain you this in my own words but it would be better if I quote from a technical article published at SearchWindowsSecurity.com as it would an unaltered version for you. Article goes like this:

“In a stack-based buffer overrun, the program being exploited uses a memory object known as a stack to store user input. Normally, the stack is empty until the program requires user input. At that point, the program writes a return memory address to the stack and then the user’s input is placed on top of it. When the stack is processed, the user’s input gets sent to the return address specified by the program.

However, a stack does not have an infinite potential size. The programmer who develops the code must reserve a specific amount of space for the stack. If the user’s input is longer than the amount of space reserved for it within the stack, then the stack will overflow. This in itself isn’t a huge problem, but it becomes a huge security hole when combined with malicious input.

Yet overflowing the buffer with an executable command doesn’t mean that the command will be executed. The attacker must then specify a return address that points to the malicious command. The program partially crashes because the stack overflowed. It then tries to recover by going to the return address, but the return address has been changed to point to the command specified by the hacker. Of course this means that the hacker must know the address where the malicious command will reside. To get around needing the actual address, the malicious command is often padded on both sides by NOP instructions, a type of pointer. Padding on both sides is a technique used when the exact memory range is unknown. Therefore, if the address the hacker specifies falls anywhere within the padding, the malicious command will be executed.

The last part of the equation is the executable program’s permissions. As you know, most modern operating systems have some sort of mechanism to control the access level of the user who’s currently logged on and executable programs typically require a higher level of permissions. These programs therefore run either in kernel mode or with permissions inherited from a service account. When a stack-overflow attack runs the command found at the new return address, the program thinks it is still running. This means that the command prompt window that has been opened is running with the same set of permissions as the application that was compromised. Generally speaking, this often means that the attacker will gain full control of the operating system. “

I hope you liked this article from SearchWindowsSecurity.com. Please post your comment and some other security issues if you have encountered or solutions which think is applicable. If you want to know about how You can prevent buffer-overflow attacks then follow the link associated.

Bookmark and Share: