BUFFER OVERFLOW

1
BUFFER OVERFLOW

• Tsega Gebreyonas
• Sunny Choi
• CS 265
• November 18, 2003

2
Overview

• The Basics
• Attacks exploiting buffer overflow
• Prevention and countermeasures
• Recent Case Studies
• Conclusion and Observations

3
Why Study Buffer Overflow?

• Vulnerability since the 1970s
• Computer vulnerability of the decade 1
• Cause of at least half of all vulnerabilities
  found in Operating Systems
• Code Red worm, 2001
• Blaster worm, 2003

4
Basics of Buffer Overflow

• A stuffing of more data into a buffer than the
  allocated size.
• Two types
• corrupt the execution stack by writing past the
  end of an array (aka. smashing the stack/ stack
  overflow)
• corrupt the heap (heap overflow)

5
How Does Buffer Overflow Happen?

• Careless use of buffer without bounds check
• No automatic bounds checking for buffer in C/C
  programming languages
• Unsafe library function calls
• Off-by-one errors
• Old code used for new purposes
• Formatting and logic errors

6
Possible causes of buffer overflow

• Un-terminated strings can produce overflow
• Segmentation fault, crash

7
Process Memory Organization
Lower Memory addresses
Text
Data
Heap Stack
Higher Memory addresses
Process Memory Regions
8

• Text region
• Fixed by the program
• Includes code (instructions)
• Read-only
• Data region
• Contains initialized and un-initialized data
• Static variables are stored here.

Text
Data
Heap Stack
9
The Stack

• Contains
• local variables for functions
• Return address and local stack pointer
• Used to
• Dynamically allocate the local variables used in
  functions.
• Pass parameters to functions.
• Return values from functions.

10

• Stack pointer (SP) points to the top of the
  stack.
• The bottom of the stack is at a fixed address.
• Consists of logical stack frames that are pushed
  when calling a function and popped when
  returning.
• Frame pointer (FP) points to a fixed location
  within a frame.

Text
Data
Heap Stack
11
Example stack.c

• void function(int a, int b, int c)
• char buffer15
• char buffer210
• void main()
• function(1,2,3)

12
Example cont.. (1)

• After gcc S o stack.s stack.c
• See notes below
• Call function is translated to
• pushl 3
• pushl 2
• pushl 1
• call function

13
Example cont.. (2)

• Its pushes the 3 arguments backwards into the
  stack.
• The instruction call will push the EIP onto the
  stack.
• Procedure prolog
• push ebp
• mov esp, ebp
• sub 20, esp

14
Example cont.. (3)

• pushes the FP onto the stack.
• Copies the current SP onto EBP, make it the new
  FP.
• Allocates space for the local variables by
  subtracting their size from SP.
• Memory can only be addressed in multiples of the
  word size.
• 5 byte buffer take 8 bytes (2 words).
• 10 byte buffer take 12 bytes (3 words).
• SP is subtracted by 20

15
buffer2
buffer1
SFP
EBP
ret
a
b
c
Stack
16
Principle of Stack Overflows

• When a program is run
• the next instruction address, ret, is stored on
  the stack.
• modifying this value in the stack forces the EIP
  to get new value. So when the function returns,
  the program may execute the code (e.g. some
  shellcode) at this new address specified by
  overflowing the stack.

17
Principle of Stack Overflows cont..

• How to find where the ret is, to overwrite?
• methods of improving chances

shellcode (or some code to execute)
NOPs
repeated return address
buffer overflow with this as long as ret is
overflowed with any part of this
string, shellcode will be executed
18
Stack Overflow Example

• include ltstdio.hgt
• void show_string(char str2)
• char buffer5
• strcpy(buffer, str2)
• printf(Your string is s\n, buffer)
• main ()
• char str 10
• gets(str1)
• show_string(str1)
• exist (0)

19
The Heap

• Definition contains memory that is dynamically
  allocated by the application
• Buffer overflow can happen here
• Although more difficult to achieve than stack
  overflows

20
User Exploits of Heap Overflow

• Overwrite
• - filenames
• - passwords
• -
• Manipulate
• - pointers
• - function pointers

21
Principle of Heap Overflows

• Requires some preconditions to be met in the
  source code of the vulnerable binary
• a buffer must be declared (or defined) first.
• a pointer must be declared.
• Example
• ...
• static char bufBUFSIZE
• static char ptr_to_something
• ...

22
/root/.rhosts
sometmpfile.tmp
POINTER
POINTER
BUFFER
BUFFER
before overflow
after overflow
23
Heap Overflow Example

• define BUFSIZE 16
• define OVERSIZE 8
• int main()
• u_long diff
• char buf1 (char )malloc(BUFSIZE),
• char buf2 (char )malloc(BUFSIZE)
• diff (u_long)buf2 - (u_long)buf1
• printf("buf1 p, buf2 p, diff 0xx
  bytes\n", buf1, buf2, diff)
• memset(buf2, 'A', BUFSIZE-1), buf2BUFSIZE-1
  '\0'
• printf("before overflow buf2 s\n", buf2)
• memset(buf1, 'B', (u_int)(diff OVERSIZE))
• printf("after overflow buf2 s\n", buf2)
• return 0

24
Heap Overflow Example Results

• root /w00w00/heap/examples/basic ./heap1
• buf1 0x804e000, buf2 0x804eff0, diff 0xff0
  bytes
• before overflow buf2 AAAAAAAAAAAAAAA
• after overflow buf2 BBBBBBBBAAAAAAA

25
Why Not Fix Buffer Overflow?

• 1000s of lines of legacy code running as root
• To change and check cases is expensive
• Trade off security Vs time to market
• Attitude If works no one cares
• Traditional approach get it to work first, then
  fix it.
• Security is not easy to verify unless someone
  find issue how do you figure what will be fault
  in the future
• Lifecycle of buffer overflow
• Vulnerability exploited
• Patch that program-specific attack

26
Buffer Overflow Countermeasures

• Write secure code (Golden Rule)
• Terminate strings and pass size of buffers to
  functions (e.g. use strncopy instead of strcopy
  etc)
• Careful Use of C/C Library Functions
• Dont trust inputs (validate all inputs)
• Stack execute invalidate
• Dynamic run-time checks

27
Countermeasures cont..

• Programming Languages
• Automatically resize arrays (e.g. Perl, Java)
• Detect and prevent buffer overflows. (e.g. Ada95,
  Java)
• Use C only when speed/low level access is
  critical (almost all OSs are written in C
  nowadays)
• Use advanced compiler tools such StackShield and
  StackGuard
• Same principle for heap overflows
• Whenever a function is called, a "canary" value
• is pushed on the stack.
• This value protects the return address.

buffer1
SFP
canary
ret
Some un-guessable value
a
StackGuard
28
Case Studies

• Code Red (I/II)
• Blaster
• infected more than one million hosts over its
  first 24 hours of life, according to one estimate

29
Code Red I/II, 2001 - Effects

• July 19th spread to 250,000 computers in only 9
  hours
• Between the two worms, about 800,000 machines
  infected
• an estimated 2.5 billion in damages
• defaced web sites
• a failed attempt at a denial-of-service attack on
  www.whitehouse.gov.

30
How Did Code Red Work?

• Exploited a buffer overflow vulnerability in
  Microsoft Internet Information Servers
• attempts to connect to TCP port 80 on a randomly
  chosen host
• the attacking host sends a HTTP GET request to
  the victim, attempting to exploit the buffer
  overflow in the Indexing Service
• If the exploit is successful, the worm begins
  executing on the victim host.
• The Code Red II worm exploited the very same
  vulnerability, except it installed a back door
  designed to make your entire hard drive available
  to attackers over the Internet.

31
Blaster, 2003

• exploited a vulnerability in Microsoft's DCOM RPC
  interface
• Execution
• Infect with worm
• Add the executable to the registry so that it
  runs at windows startup
• Generates IP address and tries to infect another
  computer with that IP address -60 random
• Send data on TCP port 135 to exploit DCOM RPC
  vulnerability
• Impact
• execute arbitrary code with Local System
  privileges
• denial-of-service condition.

32
Microsoft Manhunt

• November 5, 2003, Microsoft
• announces 250,000 reward in a worldwide manhunt
  for the creator of Blaster.
• Earmarks 4.5 million for bounties in future
  attacks.

33
Conclusions

• Buffer overflows exist and will continue to pose
  a real threat
• Tools can help (not solution)
• Best protection
• be a defensive and educated programmer write
  robust code in the first place

34
References

• Aleph One, "Smashing The Stack For Fun And
  Profit," Phrack,  Vol 7, Issue 49, File 14 of 16
• Howard M., LeBlanc D.,Writing Secure code, second
  edition, Microsoft Corporation, 2003
• Mark G. Graff, Kenneth R. Van Wyk, Secure Coding,
  O'Reilly Associates, July 2003
• Matt Conover, and WSD, "w00w00 on Heap
  Overflows", January 1999, www.w00w00.org/ files/
  articles/heaptut.txt
• Paul Festa, Study says "buffer overflow" is most
  common security bug, CNET News, November 23,
  1999, http//news.com.com/2100-1001-233483.html?le
  gacycnet
• Pierre-Alain Fayolle, A Buffer Overflow Study
  Attacks and Defenses, 2002, http//g0tr00t.mson.o
  rg/docs/nix/bof.html
• Sandeep Grover, Buffer Overflow Attacks and
  Their Countermeasures, Linux Journal, March 2003