buffer00

Secure Programming: Buffer Overflow

buffer00

Definition of Buffer Overflow

Buffer overflows  = buffer overruns

Buffer overflow is an event that occurs when we have:

—Fixed-length data buffer (e.g., string)

—At least one value intended for buffer is written outside that buffer’s boundaries (usually past its end)

Some definitions also include reading outside buffer

NIST’s definition:
“A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.”

Buffer Overflow: A Well Known Problem

• Noted in “Computer Security Technology Planning Study” (1972)

• If exploitable

—Attacker can often completely control program

—Attacker can typically cause denial-of-service

– Many defenses simply downgrade from “control program” to DoS

• Still of major concern due to

—legacy of widely deployed buggy codes

—careless programming techniques

• 2 Types:

—Stack overrun.  Buffer in stack; attack is called “stack smashing”

—Heap overrun.  Buffer in heap; attack is called “heap smashing”

Buffer overflow Examples

• 1988: Morris worm – took down Internet

— – via gets() in fingerd command

• 1998: University of Washington IMAP (mail) server

• 1999: RSA crypto reference implementation

— – Subverted PGP, OpenSSH, Apache’s ModSSL, etc.

• 2001: Code Red worm – buffer overflow in Microsoft’s Internet Information Services (IIS) 5.0

• 2003: SQL Slammer worm compromised machines running Microsoft SQL Server 2000

• ~2008: Twilight hack – unlocks Nintendo Wii consoles

— – Creates a strange long horse name for “The Legend of Zelda: Twilight Princess” that includes a program

Importance of Buffer Overflow

• “Practically every worm that has been unleashed in the Internet has exploited a buffer overflow vulnerability in some networking software.”*

A Real Buffer Overflow Example:
telnet service

• The Telnet protocol (telnet command) allows a user to establish a terminal session on a remote machine for the purpose of executing commands there.

• telnet is not a secure service, so, remote terminal sessions are now created with the SSH command

• But it is still used:

—- By human users to gain terminal access to other hosts

—- For some computer-to-computer exchanges within networks

How TELNET Works?

• Telnet server monitors port 23 for incoming connection requests from Telnet clients

• a client runs telnet program to establish a connection with a remote server

• the client sends its socket number to the server

• Socket number = IP + port number

• The server receives the client socket number and send beck its own socket number

Attack on Telnet

• (10 Feb 2007) US-CERT (United States Computer Emergency Readiness Team) issued the following Vulnerability Note:

Vulnerability Note VU#881872

OVERVIEW: A vulnerability in the Sun Solaris telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges.

Description: The Sun Solaris telnet daemon may accept authentication information vis the USER environment variable. However, the daemon does not properly sanitize this information before passing it

on to the login program and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. …..

This vulnerability is being exploited by a worm …

• (31 Dec 2004) CISCO issued the following security advisory:

Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability

Document ID: 61671

Revision 2.4

Summary:

A specifically crafted TCP connection to a telnet or a revers e telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, remote shell (RSH), secure shell (SSH), and in some cases HTTP access to the Cisco device.  Data Link Switching (DLSw) and protocol translation connections may also be affected.  Telnet, reverse telnet, RSH, SSH, DLSw and protocol translation sessions established prior to exploitation are not affected.

….

This vulnerability affects all Cisco devices that permit access via

telnet or reverse telnet…….

….

Telnet, RSH, and SSH are used for remote management of Cisco I

OS devices. …

• (7 Feb 2002) Microsoft released the following security bulletin:

Microsoft Security Bulletin MS02-

Problem:  A vulnerability exists in some Microsoft Telnet Se

rver products that may cause a denial-of-service or allow an attacker to execute code on the system.

Platform:  Telnet Service in Microsoft Windows 2000

Damage:    A successful attack could cause the Telnet Server to fail, or in some cases, may allow an attacker to execute

code of choice on the system.

…..

Vulnerability Assessment:  The risk is HIGH.  Exploiting this vulnerability may allow an attacker

complete control of the system.

Summary:

Unchecked buffer in telnet server could lead to arbitrary code execution

…..

The server implementation ….. contains unchecked buffers in code that handles the processing of telnet protocol options

Buffer Overflow Basics

• Caused by programming error

• Allows more data to be stored than capacity available in a fixed sized buffer

— – buffer can be on stack, heap, global data

• Overwriting adjacent memory locations

— – corruption of program data

— – unexpected transfer of control

— – memory access violation

— – execution of code chosen by attacker

buffer1

Programming languages & buffer overflow

• Some languages allow buffer overflow

— – C, C++, Objective-C, Vala, Forth, assembly language

• Most languages counter buffer overflow…

— – Ada strings, Pascal: Detect/prevent overflow

— – Java, Python, perl, Ada unbounded_string: Auto-resize

• Using other languages doesn’t give immunity

— – Most language implementations are in C/C++

— – Many libraries/components/OSs include C/C++

— – Some languages/compilers allow disabling protection

• Including languages C# and Ada

— – Choosing another language helps – but not completely

ادامه مطلب و دانلود مقاله

References

Avinash Kak, Buffer Overflow Attack, Computer & Network Security, Purdue University, April 2016.

David A. Wheeler, Secure Software Design & Programming: Low-level attacks (Buffer overflow and friends), SWE 681/ISA 681, George Mason University, Aug 2014.

Hossein Saiedian, Computer Security: Principles and Practice, Chapter 10: Buffer Overflow, University of Kansas, Fall 2014.

UO Security Club, Stack Buffer Overflow, Fall 2014.