Buffer overflow attack
- 1. Buffer Overflow Attack (Software security) Krishantha Dinesh
- 2. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ What is it • Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs. • if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, if an anomalous transaction produces more data it could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.
- 3. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ Buffer overflow types • Stack overflow • Heap overflow • Off By One overflow • Function pointers • Integer overflow • Format string overflow • Unicode overflow
- 4. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ Example (Format String attack) If the user passes %X as value, then printf() will receive a pointer to a string with “%X” in it on the stack Printf() will see the %X and assume there is another parameter above it on the stack Whatever is above it on the stack will be printed in hexadecimal
- 5. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ Who are vulnerable • Applications written in Java, PHP, C#, ASP.NET, Ruby-on-rails, server-side javascript and JSP are managed applications, and are not lead to memory corruption vulnerabilities such as stack buffer overflows or heap buffer overflows caused by bad web-application code • Buffer overflows tend to be the preserve of C/C++ applications.
- 6. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ How it comes • Pushing data more than the capacity of a buffer • buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. • For example: • - strcpy(target_buffer, large_string) • - printf(str_ptr)
- 7. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ example
- 8. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ ./sample.out hello
- 9. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ ./sample.out AAAAAAAAAAAAAAAAA
- 10. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ Unsafe C functions • strcpy (char *dest, const char *src) • strcat (char *dest, const char *src) • gets (char *s) • scanf ( const char *format, … ) • printf (conts char *format, … )
- 11. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ How to prevent • never use printf(buffer) for any function in the printf family • Review loop bounds for off-by-one errors • Avoid unsafe C functions (e.g. strcpy(), strcat(), sprintf(), gets(), scanf()) and learn how to use alternatives (e.g. strncpy(), strncat(), snprintf()) • Insert bounds checking code • Avoid unsafe programming languages (C, C++) and use type safe languages like java
- 12. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ records • The earliest documented hostile exploitation of a buffer overflow was in 1988. It was one of several exploits used by the Morris worm to propagate itself over the Internet. The program exploited was a service on Unix called finger.The Ping of death • The Morris (Internet worm of November 2, 1988) worm spread in part by exploiting a stack buffer overflow in the Unix finger server. • The Witty worm (2004) spread by exploiting a stack buffer overflow in the Internet Security Systems BlackICE Desktop Agent. The Witty worm is a computer worm that attacks the firewall and other computer security products written by a particular company, Internet Security Systems (ISS) now IBM Internet Security Systems.
- 13. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ • The Slammer worm (January 25, 2003) spread by exploiting a stack buffer overflow in Microsoft's SQL server. • The Blaster worm spread by exploiting a stack buffer overflow in Microsoft DCOM service. The Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was a computer worm that spread on computers running the Microsoft operating systems Windows XP and Windows 2000, during August 2003.The earliest documented hostile exploitation of a buffer overflow was in 1988. It was one of several exploits used by the Morris worm to propagate itself over the Internet. The program exploited was a service on Unix called finger. •
- 14. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ • 1995, Thomas Lopatic independently rediscovered the buffer overflow and published his findings on the Bugtraq security mailing list. A year later, in 1996, Elias Levy (also known as Aleph One) published in Phrack magazine the paper "Smashing the Stack for Fun and Profit”, a step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities. Since then, at least two major internet worms have exploited buffer overflows to compromise a large number of systems. In 2001, the Code Red worm exploited a buffer overflow in Microsoft's Internet Information Services (IIS) 5.0 and in 2003 the SQL Slammer worm compromised machines running Microsoft SQL Server 2000.
- 15. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-/ • In 2003, buffer overflows present in licensed Xbox games have been exploited to allow unlicensed software, including homebrew games, to run on the console without the need for hardware modifications, known as modchips. The PS2 Independence Exploit also used a buffer overflow to achieve the same for the PlayStation 2. The Twilight hack accomplished the same with the Wii, using a buffer overflow in The Legend of Zelda: Twilight Princess.