0
Buffer Overflow Attacks



                          1
What are buffer overflows?
•   Suppose a web server contains a function:
        void func(char *str) {
        char buf[1...
Basic stack exploit

o Main problem: no range checking in strcpy().
o Suppose *str is such that after strcpy stack looks l...
Some unsafe C lib functions

o strcpy (char *dest, const char *src)

o strcat (char *dest, const char *src)

o gets (char ...
Exploiting buffer overflows

Suppose web server calls func() with given URL.
 Attacker can create a 200 byte URL to obtain...
Causing program to exec attack
               code
o Stack smashing attack:
o   Override return address in stack activatio...
Finding buffer overflows

Hackers find buffer overflows as follows:
o Run web server on local machine.
o Issue requests wi...
Preventing buf overflow attacks

o Main problem:
o strcpy(), strcat(), sprintf() have no range checking.
o “Safe” versions...
Marking stack as non-execute

o Basic stack exploit can be prevented by marking
o     stack segment as non-executable or
o...
Static source code analysis

Statically check source to detect buffer overflows.
Several consulting companies.

 Several t...
Recent Attacks


o RealPlayer, Helix Player, KM Player vulnerable to
  attack.

o Exploit code released for Adobe Photosho...
Upcoming SlideShare
Loading in...5
×

Buffer Overflow Attacks

3,959

Published on

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,959
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
144
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Buffer Overflow Attacks"

  1. 1. Buffer Overflow Attacks 1
  2. 2. What are buffer overflows? • Suppose a web server contains a function: void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); } • } When the function is invoked the stack looks like: • What if *str is 136 bytes long? After strcpy 2
  3. 3. Basic stack exploit o Main problem: no range checking in strcpy(). o Suppose *str is such that after strcpy stack looks like: o When func() exits, the user will be given a shell !! o Note: attack code runs in stack. o To determine ret guess position of stack when func() is called. 3
  4. 4. Some unsafe C lib functions o strcpy (char *dest, const char *src) o strcat (char *dest, const char *src) o gets (char *s) o scanf ( const char *format, … ) o printf (conts char *format, … ) 4
  5. 5. Exploiting buffer overflows Suppose web server calls func() with given URL. Attacker can create a 200 byte URL to obtain shell on web server. Some complications: o Program P should not contain the ‘0’ character. o Overflow should not crash program before func() exits. Sample buffer overflow of this type: o Overflow in MIME type field in MS Outlook. 5
  6. 6. Causing program to exec attack code o Stack smashing attack: o Override return address in stack activation record by overflowing a local buffer variable. o Function pointers: (used in attack on Linux) o Overflowing buf will override function pointer. o Longjmp buffers: longjmp(pos) (used in attack on Perl 5.003) 6
  7. 7. Finding buffer overflows Hackers find buffer overflows as follows: o Run web server on local machine. o Issue requests with long tags. o All long tags end with “$$$$$”. o If web server crashes, o search core dump for “$$$$$” to find o overflow location. o Some automated tools exist. (eEye Retina, ISIC). 7
  8. 8. Preventing buf overflow attacks o Main problem: o strcpy(), strcat(), sprintf() have no range checking. o “Safe” versions strncpy(), strncat() are misleading o – strncpy() may leave buffer unterminated. o – strncpy(), strncat() encourage off by 1 bugs. o Defenses: o Type safe languages (Java, ML). Legacy code? o Mark stack as non-execute. Random stack location. o Static source code analysis. o Run time checking: StackGuard, Libsafe, SafeC, (Purify). o Black box testing (e.g. eEye Retina, ISIC ). 8
  9. 9. Marking stack as non-execute o Basic stack exploit can be prevented by marking o stack segment as non-executable or o randomizing stack location. o Code patches exist for Linux and Solaris. o Problems: o Does not block more general overflow exploits: o – Overflow on heap: overflow buffer next to func pointer. o Some apps need executable stack (e.g. LISP interpreters). 9
  10. 10. Static source code analysis Statically check source to detect buffer overflows. Several consulting companies. Several tools exist: o @stake (l0pht.com): SLINT (designed for UNIX) o its4. Scans function calls. o Wagner. Test constraint violations. o Engler. Test trust inconsistency. Find lots of bugs. 10
  11. 11. Recent Attacks o RealPlayer, Helix Player, KM Player vulnerable to attack. o Exploit code released for Adobe Photoshop flaw. News - Security - ZDNet Australia_files 11
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×