This type of attack exploits a buffer overflow vulnerability in targeted
client software through injection of malicious content from a custom-built
hostile service.
Attack Execution Flow
The attacker creates a custom hostile
service
The attacker acquires information about the kind
of client attaching to her hostile service to
determine if it contains an exploitable buffer
overflow vulnerability.
The attacker intentionally feeds malicious data to
the client to exploit the buffer overflow
vulnerability that she has uncovered.
The attacker leverages the exploit to execute
arbitrary code or to cause a denial of
service.
Attack Prerequisites
The targeted client software communicates with an external server.
The targeted client software has a buffer oveflow vulnerability.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
API Abuse
Injection
Examples-Instances
Description
Authors often use <EMBED> tags in HTML documents. For
example
If an attacker supplies an overly long path in the SRC= directive, the
mshtml.dll component will suffer a buffer overflow. This is a standard
example of content in a Web page being directed to exploit a faulty
module in the system. There are potentially thousands of different ways
data can propagate into a given system, thus these kinds of attacks will
continue to be found in the wild.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To achieve a denial of service, an attacker can simply overflow a
buffer by inserting a long string into an attacker-modifiable injection
vector.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap requires a more in-depth
knowledge and higher skill level.
Probing Techniques
Description
The server may look like a valid server, but in reality it may be a
hostile server aimed at fooling the client software. For instance the
server can use honey pots and get the client to download malicious
code.
Description
Once engaged with the client, the hostile server may attempt to scan
the client's host for open ports and potential vulnerabilities in the
client software.
Description
The hostile server may also attempt to install and run malicious code
on the client software. That malicious code can be used to scan the
client software for buffer overflow.
Indicators-Warnings of Attack
Description
An example of indicator is when the client software crashes after
executing code downloaded from a hostile server.
Solutions and Mitigations
The client software should not install untrusted code from a non
authenticated server.
The client software should have the latest patches and should be audited
for vulnerabilities before being used to communicate with potentially
hostile servers.
Perform input validation for length of buffer inputs.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Ensure all buffer uses are consistently bounds-checked.
Use OS-level preventative functionality. Not a complete solution.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Read memory
Integrity
Modify memory
Availability
DoS: resource consumption
(memory)
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Payload
Attacker-supplied data potentially containing malicious code.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to malicious code.
Payload Activation Impact
Description
The most common are remote code execution or denial of service.
Description
