Buffer Overflow attacks target improper or missing bounds checking on
buffer operations, typically triggered by input injected by an attacker. As
a consequence, an attacker is able to write past the boundaries of allocated
buffer regions in memory, causing a program crash or potentially redirection
of execution as per the attacker's choice.
Attack Execution Flow
The attacker identifies a buffer to target. Buffer
regions are either allotted on the stack or the
heap, and the exact nature of attack would vary
depending on the location of the buffer
Next, the attacker identifies an injection vector
to deliver the excessive content to the targeted
buffer.
The attacker crafts the content to be injected. If
the intent is to simply cause the software to crash,
the content need only consist of an excessive
quantity of random data. If the intent is to
leverage the overflow for execution of arbitrary
code, the attacker will craft a set of content that
not only overflows the targeted buffer but does so
in such a way that the overwritten return address is
replaced with one of the attacker's choosing which
points to code injected by the attacker.
The attacker injects the content into the targeted
software.
Upon successful exploitation, the system either
crashes or control of the program is returned to a
location of the attacker's choice. This can result
in execution of arbitrary code or escalated
privileges, depending upon the exploited
target.
Attack Prerequisites
Targeted software performs buffer operations.
Targeted software inadequately performs bounds-checking on buffer
operations.
Attacker has the capability to influence the input to buffer
operations.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Analysis
Examples-Instances
Description
The most straightforward example is an application that reads in input
from the user and stores it in an internal buffer but does not check
that the size of the input data is less than or equal to the size of the
buffer. If the user enters excessive length data, the buffer may
overflow leading to the application crashing, or worse, enabling the
user to cause execution of injected code.
Description
Many web servers enforce security in web applications through the use
of filter plugins. An example is the SiteMinder plugin used for
authentication. An overflow in such a plugin, possibly through a long
URL or redirect parameter, can allow an attacker not only to bypass the
security checks but also execute arbitrary code on the target web server
in the context of the user that runs the web server process.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
In most cases, overflowing a buffer does not require advanced skills
beyond the ability to notice an overflow and stuff an input variable
with content.
Skill or Knowledge Level: High
In cases of directed overflows, where the motive is to divert the flow
of the program or application as per the attacker's bidding, high level
skills are required. This may involve detailed knowledge of the target
system architecture and kernel.
Resources Required
None: Detecting and exploiting a buffer overflow does not require any
resources beyond knowledge of and access to the target system.
Probing Techniques
The attacker sends in overtly long input in variables under his control.
If the target system or application handles it gracefully, the attack
becomes difficult. However, an error condition or a system crash point to a
high likelihood of successful exploitation.
In cases where the attack is directed at a particular system or
application, such as an operating system or a web server, the attacker can
refer to system architecture and design documentation to figure out the
exact point of injection and exploitation.
Indicators-Warnings of Attack
An attack designed to leverage a buffer overflow and redirect execution as
per the attacker's bidding is fairly difficult to detect. An attack aimed
solely at bringing the system down is usually preceded by a barrage of long
inputs that make no sense. In either case, it is likely that the attacker
would have resorted to a few hit-or-miss attempts that will be recorded in
the system event logs, if they exist.
Obfuscation Techniques
A buffer overflow attack itself is pretty difficult to obfuscate. There,
however, exist fairly advanced techniques to ofuscate the payload, in order
to bypass an intrusion detection system or filtering, either in the
application or by means of an application firewall of some sorts.
Solutions and Mitigations
Use a language or compiler that performs automatic bounds checking.
Use secure functions not vulnerable to buffer overflow.
If you have to use dangerous functions, make sure that you do boundary
checking.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Utilize static source code analysis tools to identify potential buffer
overflow weaknesses in the software.
Attack Motivation-Consequences
Denial of Service
Run Arbitrary Code
Privilege Escalation
Injection Vector
User-controllable input. Usually, any input that a user can control is prone
to exploitation by overflow.
Payload
Malicious content, such as an overtly long input string, system shellcode or
commands, intended to cause a system crash and denial of service, or to escalate
privilege or execute code that results in information disclosure or system
compromise.
Activation Zone
Buffer allocated in memory for the input that carried the payload.
Payload Activation Impact
Denial of service, escalated privileges, execution of arbitrary code,
including system commands and low-level assembly code.
Multiple stack-based buffer overflows in the SUN RPC service in CA
(formerly Computer Associates) BrightStor ARCserve Media Server, as used
in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor
Enterprise Backup 10.5, Server Protection Suite 2, and Business
Protection Suite 2, allow remote attackers to execute arbitrary code via
malformed RPC strings.
CVE-2007-1910
Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote
attackers to cause a denial of service (application crash) and possibly
execute arbitrary code via a crafted document
All user-controllable input must be strictly validated for enforcement of
length and semantic checks
All exception conditions (such as ArrayIndexOutOfBounds) in applications
must be gracefully handled through use of available exception handling
mechanisms.
All applications and processes must be run with minimum privileges
necessary so as to avoid an escalation of privilege in case of a successful
exploit.
Related Security Principles
Reluctance To Trust
Defense in Depth
Failing Securely
Related Guidelines
Ensure that the Bounds of No Memory Region Are Violated
Never Use Unvalidated Input as Part of a Directive to any Internal
Component
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
