The term “buffer overflow” does not appoint a particular vulnerability but rather a concept, a family of vulnerabilities. A vulnerability of that type – when it is exploited – often allows an attacker to remotely execute code on the targeted machine. It is thus a family of vulnerabilities that can have a very important impact and very serious consequences.
What is a “buffer overflow” vulnerability?
“Buffer overflows” can appear in any type of applications (websites, intranets, office applications…). Since a web application relies on many software bricks (an operating system, a web server and its different modules such as mod_php or mod_ssl, a database server…), it is often in these underlying bricks that these vulnerabilities are located.
Here, the memory of the machine that is targeted. Indeed, each information or function stored needs a more or less important memory space. The anticipation of this need, as well as the general allocation and liberation of the memory, are the developer’s responsibility, in these “low-level” languages (deep inside) of the program (C or C++; for more explanation about these languages, please read our article about the Ghost vulnerability). The vulnerability can thus be exploited in two cases, when:
- This calculation is poorly made and the resources of the machines are poorly handled.
- The rights of the information entered by the user are poorly controlled and it override the authorized size without the request being stopped by the server.
The subtlety resides in the art of transforming this “buffer overflow” (actually an overflow of the memory space of a function) into a remote code execution. In order to explain this concept, we will take the example of the simplest category of the “buffer overflow” family: “stack overflows”.
A program is a set of functions written by a human, in code (for instance in C). To make a program work, a tool called a compiler will read these functions and transform the “human” code into a language that can be understood by the machine: the assembly code. It is this code that enables the machine to execute the program.
The program’s functions call variables that are stored in a specific part of the memory: the stack. The information is piled and read, in the right order. The vulnerability can be exploited when the memory space allocated to a specific variable is overflown, and when it is possible to erase some of the variables used by the assembly code.
Let us imagine the following simili-code, which is read by the compiler from the bottom up:
Here, when the compiler generates the assembly code from the C code, it will take the necessary and sufficient measures so that, when the execution of the function “read_password()” ends, the machine starts the execution again straight to the right place in the function “authentify()”, whose role is to check if the password is right. In order to do that, the compiler will store, on the stack, the address where the code execution will start again, after the function “read_password()”. However, it so happens that this address is placed right after the “password” variable declared in the corresponding reading function.
Thus, on the stack, we can for instance find a memory slot booked for the password variable and whose size matches 256 characters, directly followed by a memory slot booked for the address where the execution must start again. By entering a password exceeding 256 characters, the attacker will thus overflow the memory booked for the variable, and reach the following block. The characters exceeding the allowed 256 will thus take the place of the ones constituting the following function’s address, which will be erased.
To simplify, let us consider that the password characters limit is 8. In a normal case, the situation can be sketched as follows:
In the case where there is a “stack overflow” vulnerability, and the pirate wishes to access directly the “success” function, here is what happens. The pirate will enter a password exceeding the limit of 8 characters, by writing for instance “PASSWORDaddress_function_success—“:
As we can see, the part exceeding the allowed 8 characters, “address_function_success—” erased (replaced), “address_function_authentify”. The pirate will thus be authentified without having to enter the right password. It is only an example of this vulnerability’s exploitation; there are many other ways to use this method.
How to avoid “buffer overflow” vulnerabilities?
These vulnerabilities can be avoided thanks to a meticulous programation. However, the programs written in C code are often sizeable and relatively complex, and require much more attention (notably because of this aspect of memory handling). Finally, their detection is much more complex than those of XSS attacks or other SQL injections, since the implied algorithmic complexity is often much bigger.
CerberHost’s answers to “buffer overflows”
The answer is here expressed in several angles:
1°) Through a permanent watch: our SecOps (Security Operations) experts analyze daily the whole of published potential vulnerabilities in order to identify whether one of them could directly or indirectly impact us. The goal here is to minimize the reaction time, and to be aware, at any moment, of the potential risks.
2°) through technical components: our whole set of machines use pax/grsec patches for Linux. These patches reinforce local security, and are particularly effective against “buffer overflows”. Indeed, they drastically increase the complexity of the attack by randomly placing the elements of the program on the machine’s memory. It thus becomes complicated, even impossible, for attackers to guess the address of the functions they want to reach. It is nowadays very rare to see public exploits able to bypass this type of defense.
3°) through profiling: the daemons used in our systems are profiled in order to identify their habitual nominal behavior. Thus, any difference in this behavior, possibly resulting from the exploitation of these vulnerabilities, will be identified, so that technical counter-measures can automatically be applied.
CerberHost protects your website against all Top 10 OWASP attacks, and much more.
To discover CerberHost in pictures, watch its presentation video HERE.