Thursday, March 25, 2010

Buffer Related Vulnerabilities

There are many type of Buffer Related Vulnerabilities exist. For understanding it accurately at first we need to take a look in Buffer and how it happen.

What is Buffer?
In a short a simple way Buffer is a memory that temporary hold data (variable) during its execution.
Let’s take a look at the memory layout of a C program.



Text: Text segment content the program code
Data: Data segment contain global and static variables
Stack: Stack segment contain local variable of function.
Heap: Heap Contain dynamically allocated variable. In c when we allocate variable by malloc/calloc or by new keyword.

What happen in function Call?

Consider this c example
void abc(int x, int y)
{
//I don’t care of this code
}
int main()
{
abc(2,5);
}







So when we call abc function from main it first push 5 in the stack then 2 and then it push the return address. Return address basically where pointer will return after completing the execution of the function.

How Attack Work

Consider the following situation
char *ab=”ABCDEFGHIJKL”
void main
{
char buf[8];
strcpy(buf, ab);

}

When we try to run this it will simply try to copy value in ab into buf array. But our array size is 8 byte and size of the ab is 12 byte including a trailing null. So in this case when our allocated memory space is exceeded it will overwrite some of the value below it. if we take a look on the above memory diagram we can see that below the data is the return address of the function. So when program try to return from the function it will jump in an overwritten position instead of its original position.

Situations where Buffer related Vulnerabilities usually occur.
  1. Buffer Copy without Checking Size of Input.
  2. Buffer Access with Incorrect Length Value
  3. Uncontrolled Format String
  4. Buffer Underwrite
  5. Buffer Underead
  6. Incorrect Calculation of Buffer Size
  7. Buffer Access using the size of the source buffer
  8. Buffer overflow using command with long argument
  9. Buffer overflow in local program using long environment variable
  10. Buffer overflow in comment characters, when product increments a counter for a ">" but does not decrement for "<"


  11. By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers.





Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)