bufovfl - 1 1 Buffer Overflow CS177 2011 Buffer Overflows...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 1 1 Buffer Overflow CS177 2011 Buffer Overflows Technique to force execution of malicious code with unauthorized privileges launch a command shell search local disk or network for sensitive data register with command and control network as a zombie Can be applied both locally and remotely Attack technique is independent of machine architecture and operating system Can be tricky to execute, but extremely effective 2 Buffer Overflow CS177 2011 Definitions Buffer : a contiguous block of computer memory that holds multiple instances of the same type (C arrays) Overflow : to fill over the brim, to fill more than full Buffer Overflow : happens when a program attempts to write data outside of the memory allocated for that data Usually affects buffers of fixed size Also known as Buffer Overrun 3 Buffer Overflow CS177 2011 Simple Example Off-by-one errors are common and can be exploitable! (see Phrack 55) char B[10]; B[10] = x; Array starts at index zero So [10] is 11th element One byte outside buffer was referenced 4 Buffer Overflow CS177 2011 Another Example function foo(char * a) { char b[100]; ... strcpy(b, a); // (dest, source) ... } What is the size of the string located at "a"? Is it even a null-terminated string? What if it was " strcpy(a, b); " instead? What is the size of the buffer pointed to by "a"? 5 Buffer Overflow CS177 2011 What Happens When Memory Outside a Buffer Is Accessed? If memory doesn't exist: Bus error If memory protection denies access: Segmentation fault General protection fault If access is allowed, memory next to the buffer can be accessed Heap Stack Etc... 6 Buffer Overflow CS177 2011 Real Example: efingerd.c, v. 1.5 CAN-2002-0423 static char *lookup_addr(struct in_addr in) { static char addr[100]; struct hostent *he; he = gethostbyaddr(...) strcpy (addr, he->h_name); return addr; } How big is he->h_name ? Who controls the results of gethostbyaddr ? How secure is DNS? Can you be tricked into looking up a maliciously engineered value? 2 7 Buffer Overflow CS177 2011 Fundamental "C" Problems You can't know the length of buffers just from a pointer Partial solution: pass the length as a separate argument "C" string functions aren't safe No guarantees that the new string will be null- terminated! Doing all checks completely and properly is tedious and tricky 8 Buffer Overflow CS177 2011 Overflowing Functions gets() void main() { char buf[512]; gets(buf); } strcpy(), strcat() int main(int argc, char ** argv) { char buf[512]; strcpy(buf, argv[1]); } sprintf(), vsprintf(), scanf(), sscanf(), fscanf() and also your own custom input routines 9 Buffer Overflow CS177 2011 Process Memory Organization Text section (.text) Includes instructions and read-only data Usually marked read-only Modifications cause segment faults Data section (.data, .bss) Initialized and uninitialized data...
View Full Document

This note was uploaded on 12/27/2011 for the course CMPSC 117 taught by Professor Kemm during the Fall '09 term at UCSB.

Page1 / 11

bufovfl - 1 1 Buffer Overflow CS177 2011 Buffer Overflows...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online