Home > CAPEC List > CAPEC-100: Overflow Buffers (Version 2.11)  

CAPEC-100: Overflow Buffers

Overflow Buffers
Definition in a New Window Definition in a New Window
Attack Pattern ID: 100
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.

+ Attack Steps
  1. The adversary identifies a buffer to target. Buffer regions are either allotted on the stack or the heap, and the exact nature of attack would vary depending on the location of the buffer

  2. Next, the adversary identifies an injection vector to deliver the excessive content to the targeted buffer.

  1. The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

  1. The adversary injects the content into the targeted software.

  2. Upon successful exploitation, the system either crashes or control of the program is returned to a location of the adversaries' choice. This can result in execution of arbitrary code or escalated privileges, depending upon the exploited target.

+ Attack Prerequisites
  • Targeted software performs buffer operations.

  • Targeted software inadequately performs bounds-checking on buffer operations.

  • Adversary has the capability to influence the input to buffer operations.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • Analysis
+ Examples-Instances


The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.


Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an adversary not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content.

Skill or Knowledge Level: High

In cases of directed overflows, where the motive is to divert the flow of the program or application as per the adversaries' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel.

+ Resources Required

None: No specialized resources are required to execute this type of attack. Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system.

+ Probing Techniques

The adversary sends an overly long input in variables under his control. If the target system or application handles it gracefully, the attack becomes difficult. However, an error condition or a system crash point to a high likelihood of successful exploitation.

In cases where the attack is directed at a particular system or application, such as an operating system or a web server, the adversary can refer to system architecture and design documentation to figure out the exact point of injection and exploitation.

+ Indicators-Warnings of Attack

An attack designed to leverage a buffer overflow and redirect execution as per the adversary's bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the adversary would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist.

+ Obfuscation Techniques

A buffer overflow attack itself is pretty difficult to obfuscate. There, however, exist fairly advanced techniques to obfuscate the payload, in order to bypass an intrusion detection system or filtering, either in the application or by means of an application firewall of some sorts.

+ Solutions and Mitigations

Use a language or compiler that performs automatic bounds checking.

Use secure functions not vulnerable to buffer overflow.

If you have to use dangerous functions, make sure that you do boundary checking.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
DoS: crash / exit / restart
Execute unauthorized code or commands
Run Arbitrary Code
Gain privileges / assume identity
+ Injection Vector

A buffer overflow attack is an injection-driven attack with the payload delivered via user-controllable input. Any input that an adversary can control is a potential injection point if that input is not validated and is subsequently used in a vulnerable buffer-related operation.

+ Payload

The payload for a buffer overflow attack is an overly long input string, often containing system shell code or commands.

+ Activation Zone

Buffer allocated in memory for the input that carried the payload.

+ Payload Activation Impact

Denial of service, escalated privileges, execution of arbitrary code, including system commands and low-level assembly code.

+ Relevant Security Requirements

All user-controllable input must be strictly validated for enforcement of length and semantic checks

All exception conditions (such as ArrayIndexOutOfBounds) in applications must be gracefully handled through use of available exception handling mechanisms.

All applications and processes must be run with minimum privileges necessary so as to avoid an escalation of privilege in case of a successful exploit.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
Visual Basic
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Indicators-Warnings_of_Attack, Probing_Techniques, Related_Vulnerabilities, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017