Title: Buffer Overflows: A Technical Discussion
1Buffer Overflows A Technical Discussion
Chad Harrington Entercept Security
Technologies The Proven Leader in Intrusion
Prevention
Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
2Agenda
- How Buffer Overflow Exploits Work
- Why Buffer Overflow Vulnerabilities Exist
- New Buffer Overflow Exploit Techniques
- Buffer Overflow Protection from Entercept
Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
3Public Enemy 1
- Buffer Overflows are
- Common
- account for over 60 of CERT advisories
- Powerful
- can execute arbitrary code, often with root
privileges - Easy to Use
- once written, any script kiddie can run it
Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
4Why Buffer Overflow Vulnerabilities Exist
- Unchecked Buffers
- Software Developers are too busy
- Trade off time to market vs. security
- Security is an afterthought
- QA doesnt include security validation
Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
5Exploiting an Unchecked Buffer
- Objectives
- Load arbitrary exploit code
- Execute the code
- Three techniques
- Stack-based
- Heap-based
- Return-into-Libc
6What is the Stack?
- Temporary storage area - Scratchpad
- Stores buffers for subroutines
- Stores return address for subroutines
- Stores parameters to called subroutines
- Resides high in memory, grows downward
7What is the Stack?
43 (C)
68 (h)
name_buffer (100 Bytes)
61 (a)
64 (d)
34
Stored return address (4 Bytes)
D7
40
00
8A Vulnerable Program
9Specifying the Argument
10Normal Output
11Assembly Language Version
Here is the Call instruction that tells the OS
to jump to our SayHello subroutine
12Assembly Language Version
This is where the program SHOULD return after
executing SayHello 0040D734
13Stack View After Entering the SayHello()
Subroutine
The return address (00 40 D7 34) is now pushed
onto the stack. Intel architectures are
little-endian, so the address appears reversed
34 D7 40 00
14Clearing the Stack Frame
The debugger has cleared the stack frame for us
by filling it with CC bytes
15Filling the Buffer
Now the strcpy() function is called. The data
supplied is copied into the buffer.
16Normal Output
17Specifying a Malicious Argument
18Stack View After Entering the SayHello()
Subroutine
Note the valid return address bytes 34 D7 40 00
19Stack View After Entering the SayHello()
Subroutine
When strcpy() is called, the malicious data is
copied into the buffer and overflows it,
overwriting the return address. The bytes of the
return address are now 35 39 34 35.
20Crash!
- The program attempted to jump into unused memory
and crashed.
21What is the heap?
- Heap stores dynamically allocated buffers
- Often used for storing large amounts of data
- Heap buffers are also fixed-size, just like stack
buffers
22Heap-based Exploits
- Growing in popularity
- Execute code on the heap, not the stack
- Heap is more likely to be executable
- Code Red used a heap-based exploit
- Vulnerable data on the heap
- atexit() function pointers
- rpc callback function pointers
- Signal handler pointers
- And much more!
23What is libc?
- The C language library of standard functions
- Example of a standard libc function
system(dir) - Executes the parameter in the parentheses as if
you typed it into a command prompt - Other functions handle file I/O, memory
management, etc. - libc is linked with every program written in the
C language
24Return-into-Libc Exploits
- Up-and-coming exploit technique
- Does not execute code on the stack or the heap
- Uses a stack (or heap) overflow to redirect
program execution to a function in the libc
library
25Entercept Technology
- Multiple layers protecting the entire server
- operating system
- applications
- data
- Blocks both known and unknown malicious attacks
- Industry leading buffer overflow protection
- Both specific and generic protection against
buffer overflow exploits - Protect against all 3 major buffer overflow
techniques
26Feedback
- For our current white paper on Attackers and
their Tools, please visit our web site - www.entercept.com/dr/ws/
- Sign up for our next Web seminar
- SQL Injection A Technical Discussion
- www.entercept.com/events/signup.asp
- Please send comments, questions or suggestions
for other topics to - webmaster_at_entercept.com
27Q A