5
Jun

Most Common Cyber Vulnerabilities – Part 2 (Buffer Overflow)


In the previous piece of this series, we clearly covered the definition of the injection flaws in layman’s terms, its common types, consequences, and a few other subsections; all dedicated to injection vulnerabilities. This article adds and gives you further insight into why it’s important to eliminate cyber vulnerabilities and why do there’s a need to fix them before perpetrators can exploit them.

The second part of this series will take you furthermore in depth to another common cyber vulnerability—commonly known as buffer overflow. Cybercriminals exploit the problem of buffer overflow to alter the execution path of the application. It can be done by overwriting the source code of the application associated with onboard memory. This overwritten data can also change the intention of the application by making it perform unauthorized activities. This vulnerability usually paves an easy way for cybercriminals to target all types of software, client and server-side applications, and different operating systems.

What Does Buffer Overflow Mean?

Buffer is a temporary memory store with a specified capacity to store data, which has been allocated to it by the programmer or the program. When the amount of data is higher than the allocated capacity, extra data overflow. This is what the industry commonly refers as a buffer overflow or buffer overrun. This data then leaks into boundaries of other buffers and corrupts or overwrites the legitimate data present.

Buffer overflow vulnerability is something that hackers see as an easy go-to target because it is one of the easiest (yet rare) ways through which cybercriminals can gain unauthorized access to the software.

A Simple Understanding of Buffer Overflow

Imagine a container with not enough space to hold the liquid you are pouring into it. Buffer overflow is not different from this concept. But in technical terms, buffer overflow is an anomaly that is capable of altering the memory of the program to gain control of the program being executed.

This example clearly shows how a buffer meant to store a username of up to eight characters overflows when two extra bytes are added to it. The source code with such programming is an example of a lack of input data sanitization.

Some Buffer Overflow Attacks

Buffer overflow attacks can be categorized into two major types—stack-based and heap-based.

  • Stack-based Buffer Overflow Attacks—A stack-based buffer overflow is a condition where a buffer is allocated to a stack (like a local variable or passed as a parameter to a function). This buffer is overwritten after the data overflow.
  • Heap-based Buffer Overflow Attacks—A heap-based buffer overflow is where the buffer, to be overwritten, is allocated a large portion of additional memory. These types of buffers are allocated using the malloc()

Detecting and Preventing Buffer Overflow

During the design phase of an application, one needs to pay close attention to the part of the source code dealing with creation and modification of the buffer, which will help you to understand whether your application can be exploited or not. Specifically, any function designed to accept user inputs, which can modify or update the buffer, can easily exploit this kind of vulnerability.

For example, a yes or no question prompting the user to enter an answer does not require a large capacity buffer:

void ans_Question()

{

char user_ans[4];

printf(“Do you think this function is secure? Yes or no”);

gets (user_ans);

}

The code clearly shows that if a user enters “maybe” then the buffer will overflow and crash the entire program because the variable “user_ans” is created to accept any user input without proper data validation. Once the buffer is filled with four bytes of data, the return address of the program will be modified automatically. In this way, the program can behave in unintended ways.

So, to detect buffer overflow conditions in the source code of your program, ensure that you go through some key steps, defined as follows:

  • Understand how buffer overflow can impact your program in dangerous ways,
  • Search for an external input that can modify the buffer, and
  • Look for in-built functions that are susceptible to this vulnerability (e.g., gets(), printf(), and strcpy() are a few functions that can lead to buffer overflow).

 

Prevention Action: You can use some of the below-tabulated functions to keep your application safe from a buffer overflow attack.

  • Use safe alternatives instead of using insecure functions.
Insecure Functions Safe Functions
strcpy() strlcpy()*, strcpy_s()*
strcat() strlcat()*, strlcat_s()*
printf() / snprintf()*, sprintf_s()*
gets fgets()
*Functions do not fall under C Standard Libraries.
  • Using a language that can’t be decoded easily is a potentially perfect way to dodge this kind of vulnerability. For instance, C language allows direct access to memory through these vulnerabilities. While languages, such as Java, Python, and .NET, do not need special filters to mitigate the buffer overflow problem.
  • Always do a manual check and null termination (‘\0’) to handle the overflow issue.

Related Consequences of an Exploited Buffer Overflow

An exploited buffer overflow gives cyberattackers a way to target web applications and execute arbitrary code. The complete stack of the application can be corrupted by overwriting the buffer data with malicious program code.

Real-world Scenarios Representing Buffer Overflows

This section will give you a better understanding of how disastrous buffer overflow vulnerability can be.

Case 1: The Morris Worm

Who doesn’t know about 1988’s Morris worm? The first major attack on the Internet that infected over 60,000 machines throughout 1998–1990. This first cyber attack was the result of the buffer overflow exploitation, which also gave this worm the capability to self-propagate [1].

Case 2: Adobe Flash Player Buffer Overflow Vulnerability

In 2017, a buffer overflow vulnerability was revealed in the Adobe Flash Player that allowed an unauthenticated, remote attacker to execute arbitrary code. The vulnerability occurred after the affected software started improperly handling regular expressions. The vulnerability gave an easy entry point to an attacker to a corrupted web page containing maliciously crafted Flash content. Adobe later confirmed that the issue has been patched [2].

Can We Mitigate Buffer Overflow Attacks?

When a function leaves the opportunity for attackers to exploit a buffer overflow vulnerability, it doesn’t mean that as a security professional, you can’t limit its impact. Advances are being made to detect buffer overflow at compile and run-time phases, using canary tests. Canary test allows the program to perform minimal tests on it, so that, you can quickly ensure whether the source code is reliable. These tests will look for the modified return value, and if it finds one, the program will then display an error or will shut down automatically.

Another mitigating process includes the use of non-executable stacks (or Data Execution Prevention [DEP]) and the address space layout randomization (ASLR) in modern-day operating systems. DEP does not allow attackers to inject malicious line of codes on the stack of the program. This ends with the program running successfully. While ASLR originally built to work against return-oriented programming; it is now working to make it difficult to pinpoint the address to point to.

Now that you know what buffer overflow is, what it is capable of, and more importantly, how to mitigate such threats! So, in line with this second follow-up, the next article will bring you to closer to another cyber vulnerability where we will cover sensitive data exposure. Stay alert and keep an eye out for it!

Read Next: MOST COMMON CYBER VULNERABILITIES PART 3 (SENSITIVE DATA EXPOSURE)

Source:

[1] https://en.wikipedia.org/wiki/Morris_worm

[2] https://tools.cisco.com/security/center/viewAlert.x?alertId=52257

Editor's Note:
Reviewed by Prof. Dr. Krishna Seeburn, Chief Instructor – Cybersecurity at DOJ-FBI and Akashdeep Bhardwaj, Head of Cyber Security Operations (India) at British Telecom Security.
get certified from ec-council
Write for Us