CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Overflow Buffers
Attack Pattern ID
Pattern Abstraction: Standard

100

Typical Severity

Very High

Description

Summary

Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attacker's choice.

Attack Execution Flow

  1. The attacker identifies a buffer to target. Buffer regions are either allotted on the stack or the heap, and the exact nature of attack would vary depending on the location of the buffer

  2. Next, the attacker identifies an injection vector to deliver the excessive content to the targeted buffer.

  3. The attacker crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the attacker will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the attacker's choosing which points to code injected by the attacker.

  4. The attacker injects the content into the targeted software.

  5. Upon successful exploitation, the system either crashes or control of the program is returned to a location of the attacker's choice. This can result in execution of arbitrary code or escalated privileges, depending upon the exploited target.

Attack Prerequisites

Targeted software performs buffer operations.

Targeted software inadequately performs bounds-checking on buffer operations.

Attacker has the capability to influence the input to buffer operations.

Typical Likelihood of Exploit

High

Methods of Attack
  • Injection
  • Analysis
Examples-Instances

Description

The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.

Description

Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an attacker not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process.

Attacker Skill or Knowledge Required

Low: In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content. High: In cases of directed overflows, where the motive is to divert the flow of the program or application as per the attacker's bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel.

Resources Required

None: Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system.

Probing Techniques

The attacker sends in overtly long input in variables under his control. If the target system or application handles it gracefully, the attack becomes difficult. However, an error condition or a system crash point to a high likelihood of successful exploitation.

In cases where the attack is directed at a particular system or application, such as an operating system or a web server, the attacker can refer to system architecture and design documentation to figure out the exact point of injection and exploitation.

Indicators-Warnings of Attack

An attack designed to leverage a buffer overflow and redirect execution as per the attacker's bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the attacker would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist.

Obfuscation Techniques

A buffer overflow attack itself is pretty difficult to obfuscate. There, however, exist fairly advanced techniques to ofuscate the payload, in order to bypass an intrusion detection system or filtering, either in the application or by means of an application firewall of some sorts.

Solutions and Mitigations

Use a language or compiler that performs automatic bounds checking.

Use secure functions not vulnerable to buffer overflow.

If you have to use dangerous functions, make sure that you do boundary checking.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.

Attack Motivation-Consequences
  • Denial of Service
  • Run Arbitrary Code
  • Privilege Escalation
Context Description


Every program or application is designed to process some inputs received from the user or another system. Buffer overflows abound because programs trust user-controlled input.
A buffer is a region of memory allocated for the purposes of storing certain data values. These can be environment variables, user-suppplied input or temporary scratch space. These regions are allocated on a stack (static allocation) or a heap (dynamic allocation). Although the exact payload used to exploit an overflow in buffers allocated on the stack or heap differ, the general technique is to stuff an input variable with more data than expected.
Managed environments, such as the Java language or the .NET platform enforce strict type and bounds checking. This means that an attempt at a buffer overflow results in a system error. Note that this protection does not make application secure; it makes exploitation of overflow conditions more difficult than in application written in umanaged languages, such as C and C++. For example, the Structured Exception Handling mechanism technically allows an application to perform certain actions before the process is shut down. In case of a buffer overflow, this can be used to close sensitive files or disable certain functionality. However, it is possible to abuse the SEH mechanism as well and execute a successful buffer overflow exploit; only the effort and technical knowledge required are far greater than average. Therefore, it still remains the developer's and designer's prerogative to design a system in such a way that no overflow conditions exist.

Injection Vector

User-controllable input. Usually, any input that a user can control is prone to exploitation by overflow.

Payload

Malicious content, such as an overtly long input string, system shellcode or commands, intended to cause a system crash and denial of service, or to escalate privilege or execute code that results in information disclosure or system compromise.

Activation Zone

Buffer allocated in memory for the input that carried the payload.

Payload Activation Impact

Denial of service, escalated privileges, execution of arbitrary code, including system commands and low-level assembly code.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
120Unbounded Transfer ('Classic Buffer Overflow')Targeted
119Failure to Constrain Operations within the Bounds of an Allocated Memory BufferSecondary
19Data HandlingSecondary
Related Vulnerabilities
Vulnerability-IDVulnerability Description
CVE-2007-2139Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings.
CVE-2007-1910Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted document
Related Attack Patterns
IDNameRelationship TypeRelationship Description
8Buffer Overflow in an API CallMore Abstract
9Buffer Overflow in Local Command-Line UtilitiesMore Abstract
10Buffer Overflow via Environment VariablesMore Abstract
24Filter Failure through Buffer OverflowOccasionally Precedes
46Overflow Variables and TagsMore Abstract
47Buffer Overflow via Parameter ExpansionMore Abstract
Relevant Security Requirements

All user-controllable input must be strictly validated for enforcement of length and semantic checks

All exception conditions (such as ArrayIndexOutOfBounds) in applications must be gracefully handled through use of available exception handling mechanisms.

All applications and processes must be run with minimum privileges necessary so as to avoid an escalation of privilege in case of a successful exploit.

Related Security Principles
  • Reluctance To Trust
  • Defense in Depth
  • Failing Securely
Related Guidelines
  • Ensure that the Bounds of No Memory Region Are Violated
  • Never Use Unvalidated Input as Part of a Directive to any Internal Component
Purpose

Penetration

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighHigh
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAJAX
Source
Submission(s)
SubmitterOrganizationDateComment
Chiradeep B. Chhaya2007-04-30First Draft
Modification(s)
ModifierOrganizationDateComment
Sean BarnumCigital, Inc2007-05-02Review and revise
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us