01-02-2012, 01:01 PM
BUFFER OVERFLOW ATTACKS
[attachment=16970]
Introduction:
Brief History:
Buffer Overflows have been successfully used as a method of penetrating systems ‘security for over 12 years. One of the first buffer overflow attacks which attracted widespread attention due to its spectacular success was Robert Morris's Internet Worm. In 1988 Morris released a program which succeeded in infecting thousands of Unix hosts on the Internet. One of the methods Morris used to gain access to a vulnerable system was a buffer overflow bug in the fingerd daemon.Once it gained access to a vulnerable system, Morris's program installed itself on the machine, and used several methods to attempt to spread itself to other machines. The original intent of Morris was to spread toother systems relatively slowly and undetected, without causing a significant disruption on any of the affected machines. However, his attack failed completely in this. Morris made a programming error which caused his worm to spread at a much higher rate than originally intended. Because of this error, machines were infected and reinfected so rapidly that the worm ended up overwhelming the attacked systems. Of course this caused his program to be detected immediately, and transformed it into the most devastating denial of service attack until that time. Morris's program usually did not gain administrative root access, and did not destroy any information on the penetrated system, nor leave time bombs or other malicious code behind. From 1988 to 1996 the number of buffer overflow attacks remained relatively low.
What is Buffer?
A buffer is a temporary storage area in memory. It can be a statically or dynamically allocated memoryspace. A buffer is said to overflow if the some program or routine tries to stuff in more data than it’s Capacity. If the data entered into a buffer exceeds the limit specified by the program it gets store in to adjacent buffer.This might result in valid information getting overwritten and can also be susceptible to what are known as buffer overrun attacks. Although it may occur accidentally through programming mistakes an improper use of pointers,buffer overflow is a common and extremely dangerous attack on system security and private data
2. Anatomy of a Buffer Overflow Attack:
2.1 What’s a Stack?
The stack is the place where the software stores almost all-temporary information. Example of temporary information is the return addresses from function calls, and all the local variables. What's really important is functions can write to this space, and modify any data on it.
2.2 What’s a return address?
When a function is called, the system will save where it was called. Once a function exits, it will read this address and let the program return to what it was doing before the function was called. If this address is maliciously altered, the program won't behave as it was programmed to do.It's worth to notice that the biggest problem is the ability for an attacker to modify the return address. This is what makes it possible to make the code behave unexpectedly. In an important program like the Unix command su, simply being able to make the program jump into another part of itself could be enough to compromise the system. A stack smashing attack usually has two mutually dependent goals:
1)Insert Attack code:
The user actually enters as his input string an executable or a binary code pertaining to the machine being attacked.
2) Change return address:
There is space on the stack above every buffer for the return address of the function. The attacker writes arbitrary (and dangerous!) code up to the return address and alters the return address to point to the arbitrary code. So when the function returns it jumps to the code that has been placed on the buffer. The codes that are most likely to be victim to buffer overflow attacks are the ones whichread in data using unsafe functions like gets () and which are used to move data like strcat () Unfortunately, the local array as well as the function return address will both be stored on the stack. This is extremely dangerous because the attacker will easily be able to feed you hostile code instead of data, and with a simple trick the attacker will make your program execute the code. This vulnerability is known as "buffer overflow", and is a special case of the overflow problems.
