BufferOverflow - Offensive point of View

Buffer Overflow – Offensive Point of View

Toe Khaing Oo

Myanmar Security Forum

About Me

- Final year student at UCSY.

- Moderator at Myanmar Security Forum.

- Core member at Fedora Project Myanmar Community.

Buffer Overflow Basics

What is buffer?

- Any area of memory where more than one piece of data is stored.

- Where CPU can store data temporarily.

- Data may be retrieved from input.

Buffer Overflow

- Well known form of Software security vulnerability.

- Errors occur when operating on buffers of char type.

- Difficult to discover, difficult to exploit.

- Exploit for fun and profit.

How Overflow Works

Overflow occurs when program receives more data than it expects.

When data is written, it can overwrite other data in memory. Attacker can inject malicious code instead of overwritten data.

Attacker can take control target computer.

Buffer Overflow Types

Mostly two types ..- Stack based overflow.- Heap based overflow.

Other types ... - Integer Overflows- Format String attack

Stack Based Overflow

Occur when variable size data is copied into fixed length buffers located in stack without any bounds checking.

Data is written past the end of buffers allocated on the stack.

Example Program

#include <unistd.h>void sto(){char buff[5];printf("Some input : ");gets(buff);puts(buff);}int main (int argc, char *argv[]){sto();return 0;}-----------------------------------------------------------------------------------------------------------Sample C Program save as sto.c

Add 4 char “A” and we have return data correctly.

When adding large input data such as “A” * 20, got an error as “Segmentation Fault”

Heap Overflow

● Heap is a memory segment used for storing dynamically allocated data and global variables.

● Consists :– Boundry tags

– Memory management information

How Heap Overflow Occurs

● Overwriting a function pointer that happens to be allocated on the heap.

● Like Stack-Based overflow, input strings are larger than expected.

● Unlike stack-based overflow, results are different.

Example

int main(int argc, char *argv[])

{

...

vulnerable(argv[1]);

return 0;

}

int vulnerable(char *buf)

{

HANDLE hp = HeapCreate(0, 0, 0);

HLOCAL chunk = HeapAlloc(hp, 0, 260);

strcpy(chunk, buf); ''' Vulnerability

……..

return 0;

}

When a heap based buffer is overflowed,the control information is overwritten so when the buffer (allocated block) is freed and it comes to updating the pointers in array there’s going to be an access violation.

Format Strings Attack

● Occurs when the input string data is evaluated as a command by the application.

● Attacker can execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

● Function like printf, fprintf convert the variable (String)

● Format String parameter .. %x, %s define conversion.

● Attacker insert a sequence of format strings making the program to read illegal address.

Discovering Buffer Overflow

● Blackbox testing ● Graybox testing● Whitebox testing

Blackbox testing

● Input the bad character to the in put box and check the memory registers with debuggers.

● Check this register can overwrite.

Graybox Testing

● Reviewing Code.● Check binary files.

Whitebox Testing

● Reading source code.● Static analyzer tools.● Fuzzing (eg. Spike fuzzer)

Exploitation

● Check pattern.

● Check offset number.

● Check is it necessary to inject junk code.

● Generate shell code and inject.

Avoiding Buffer Overflow

● Check Program with Static code analyzer.

● Check bounds checking.

● Check buffers in char type.

● Use high level language like java, C#

● Some other IDE has default bound checking.

Thanks ;)