Buffer Overflow Explained

What is buffer overflow?How a buffer overflow happensHow to avoid overrun?

What is buffer overflow?

• Buffer overflow are responsible for many vulnerabilities in operating system as well as application programs.

• It’s a quiet technical freaky , it includes program source code , assembler listing , and debugging usage , which almost scares away lot of people without solid programming knowledge.

Cause : Buffer overflow attack have been there for a long

time. It still exists partly because of the carelessness of the developer in the code.

Prevention :Avoid writing bad codes

How a buffer overflow happens ?• The ultimate purpose of any program that runs on a

computer is to process data of some kind. • Most don’t operate on fixed data, but on data that is

ultimately provided by user, possibly pre-processed in some fashion.

• The program needs to store data some where in computer’s memory, and this is point where problem starts

• Buffer overflows are a common vulnerability on all platforms, but are by far the most commonly exploited bug on the linux/unix Operating systems.

• Commonly buffer overflows are exploited to change the flow in a programs execution, so that it points to a different memory address or overwrites crucial memory segments.

EX : #include #include int main(int argc, char **argv) {

char buff[512]; if(argc < 2)

{ printf('Usage: %s \n', argv[0]);

exit(0); } strcpy(buff, argv[1]); printf('Your name: %s\n', buff); return 0; }

lets try by giving this program a test:Normal Execution :

Demo@root:~/tut > gcc vuln1.c -o vuln1 Demo@root:~/tut > ./vuln1 Usage: ./vuln1 Demo@root:~/tut > ./vuln1 mercy Your name: Fr3@k Demo@root:~/tut >

Demo@root:~/tut > ./vuln1 `perl -e'print 'A' x 516' ` Your name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped)

As we can see, this program is fully functional, and does what it is required to do. But lets see what happens when we fill buff (argv[1]) with more than 512 chars:

What happened there?

• The program crashed due to a segmentation fault - we filled the buffer with more data than it was defined to hold, ending in an illegal address violation.

• (Note: if you did not get a core dump it is most likely because you have not set a limit, at the command prompt type: ulimit -c unlimited: if this fails still, make sure you have write access in the executing directory, and make sure that the file is not suid, you will not get core dumps on suid files.)

How to avoid overrun?

Use of safe libraries

• The problem of buffer overflows is common in the C and C++ languages because they expose low level representational details of buffers as containers for data types. Buffer overflows must thus be avoided by maintaining a high degree of correctness in code which performs buffer management. It has also long been recommended to avoid standard library functions which are not bounds checked, such as gets, scanf and strcpy.

• Well-written and tested abstract data type libraries which centralize and automatically perform buffer management, including bounds checking, can reduce the occurrence and impact of buffer overflows.

Some Unix operating systems (e.g. OpenBSD, Mac OS X) ship with executable space protection (e.g. W^X). Some optional packages include:PaXExec ShieldOpenwall

Newer variants of Microsoft Windows also support executable space protection, called Data Execution Prevention. Proprietary add-ons include:– BufferShield– StackDefender