Buffer overflows are one of the more complex injection attacks, as they take advantage
of developers misusing memory. Like command injection, a successful buffer overflow
attack gives the attacker complete control of the remote machine.
Some programming languages, such as C and C++, place memory management
responsibilities on the developer. If the developer is not careful, user input could write to
memory that was not intended to be written to. One such memory location is called the return
address of a stack. The return address holds the memory address of the next machine instruction
block to execute. If an application is vulnerable to buffer overflows, an attacker could send a
very long string to the web application—longer than the developer expected. The string could
potentially overwrite the return address, telling the web application what machine instructions
it should execute next. The injection aspect of buffer overflows is that the attacker injects
machine instructions (called shell code) into some user input. The attacker somewhat needs to
know where the shell code will end up in the memory of the computer running the web
application. Then the attacker overwrites the return address to point to the memory location
of the shell code.
Exploiting buffer overflows are nontrivial, but finding them is not as difficult, and
finding buffer overflows on a local machine is easy. You need only send very long strings
in all user inputs. We suggest inputting predictable strings, such as 10,000 capital As, into
each input. If the program crashes, it is most likely due to a buffer overflow. Repeat the
crash while running the application in a debugger. When the program crashes, investigate
the program registers. If you see 41414141 (41 is the ASCII representation of a capital A)
in the SP register, you have found a buffer overflow.
Finding buffer overflows on remote machines, such as a web application, is a lot
more difficult, because attackers cannot view the contents of the web application’s
registers, and it may even be difficult to recognize that the web application has even
crashed. The trick to finding buffer overflows on web applications is to do the
following:
1. Identify what publicly available libraries or code the web application is
running.
2. Download that code.
3. Test that code on your local machine to find a buffer overflow.
4. Develop exploit code that works on your local machine.
5. Attempt to execute the exploit code on the web application.
Preventing Buffer Overflows :
The easiest step is to avoid developing frontend web applications with C and C++. The
speed increase is nominal compared to delays in Internet communication. If you must
use code written in C or C++, minimize the amount of code used and perform sanity
checks on user input before sending it onto the C or C++ derived code.
If you can’t avoid programming in C or C++, you can take basic steps to prevent
some buffer overflows, such as compiling your code with stack protection. You can, for
example, use the /GS flag when compiling C and C++ code in Visual Studio, and use
–fstack-protector in SSP (also known as ProPolice)-enabled versions of gcc.
