Buffer Overflow and its latest attacks

Gukhool M. Rizwan
C-DAC School Of Advanced Computing

Abstract 2. How does Buffer overflow occur?

Buffer overflow is one of the vulnerabilities which has
become more and more common, especially for the past
ten years. The damages due to its flaw have been great
and one of its first exploitation is the Internet Worm of
1988.
On top of that, Buffer overflow vulnerabilities has
become dominant in the area of remote network
penetration vulnerabilities, where an anonymous Internet
user seeks to gain partial or total control of a host [1].
Basically the problem occurs due to lack of good
practices by programmers.
 When the variable is not null terminated (\n),
which means that the variable can be of infinite
length.
 When using string functions (strcpy(), strcat(),
sprintf(), gets(), scanf()) and verifications are not
made

1. Introduction 3. Simple Example

Buffer overflow or Buffer overrun occurs when a process
function(char *buf_src)
or program writes more data into the buffer than the
{ char buf_dest[16];
memory allocated. The additional space taken by the data
strcpy(buf_dest, buf_src);
overwrites adjacent memory space, resulting in abnormal
}
behavior.
/* main function */
This situation can easily be exploited by malicious people
main()
who can take control of the program execution path and
{ int i;
execute their desired code instead of that of the program.
char str[256];
Buffer overflow is related to C programming language
for(i=0; i<256; i++) str[i] = ‘a’;
and it was discovered around 1972-1973. The very first
function(str);
exploit occurred in 1988 when over 6000 systems were
}
shutdown in a few hours by the famous Internet Worm [2,
3].
To this date (13 June 2010), 5415 cases of buffer Note that a buffer of 16 has been allocated for the
overflow have been listed as vulnerabilities in destination but the size of the array is 256 and no size
cve.mitre.org and out of these around 130 are for the year checking/ verification is being made.
2010 only. The latest record (CVE-2010-2102) which is There is no doubt that a buffer overflow will occur, where
still under review is a case where Buffer overflow occurs data will be overwriting adjacent memory.
in Webby Webserver 1.01 allowing remote attackers to
execute arbitrary code via a long HTTP GET request [4].
The statistics of vulnerabilities at web.nvd.nist.gov show
that there have been 5315 records. The latest record
(published on 06/15/2010: CVE-2010-2185) is that of
Buffer overflow in Adobe Flash Player before 9.0.277.0
and 10.x before 10.1.53.64, and Adobe AIR before
2.0.2.12610, might allow attackers to execute arbitrary
code via unspecified vectors. [5].

The overall goal of a buffer overflow attack is to

Overflow completely the function of a privileged program
so that the attacker can take control of that program, and
if the program is sufficiently privileged, thence control
the host [1].
Figure 1: Memory Stack
We can see from figure 1 that the content of array
str(256-character ‘a’s, i.e., 0x616161…) has already
overwritten all the former contents from buf_dest to
buf_dest+256, including the EBP and RET saved when
function calling. So when the function exits, it will return
to 0x61616161, the segment fault occurred.
Buffer overflow can change the executing sequence of
program. If we can write a starting address of an elaborate
attack code to RET, the system can be hijacked. If the
attacked program having the suid bit and the attacking
code get an interactive Shell, the hacker will get the root
privilege. This is the main method used by hackers [6].
4. Exploitation of the buffer overflow
vulnerability
If the attacker sends 1000 characters that are carefully
chosen, he or she can control the return address. Rather
than jumping to a non-existent address, the attacker can
instruct the program to jump to the address of malicious
exploit code. There are two tasks that must be performed
to accomplish:
 Loading the malicious code
 Executing the malicious code
There are 2 types of exploitation:
 Stack
 Heap
4.1. Stack Exploitation
Each time a process or program is executed, the latter
writes data to memory, but at some point in time, if the
programmer has not properly written the codes, adjacent
memory may be wrongly overwritten on the stack thus
causing abnormal behavior.
A malicious attacker can make use of this flaw to
manipulate the program in one of the following ways:
 A local variable which is near the buffer in
memory on the stack may be overwritten to
change the behavior of the program,
 The return address of a stack frame can be
overwritten which, when the function returns,
execution of the program will resume at the
return address specified by the attacker
 A function pointer or exception handler may be
overwritten and can be executed afterwards.
When a stack buffer is overflowed, both, loading and
executing malicious code can be achieved. The attacker
sends a very long string of input data to the program. The
input data includes the malicious code as well as the
address of that code.
When this input data overflows the stack, the malicious
code is loaded into stack memory, and the subroutine’s
return address is overwritten to point to that malicious
code. When the subroutine terminates, the program jumps
to the malicious code, and that code is executed. The
results of executing the attacker’s malicious code could be
catastrophic. If the malicious code reformats the system’s
hard drive, crucial data may be lost, and significant time
will be wasted rebuilding the system.
Just as easily, the malicious code could attack other
machines, install backdoors, steal passwords, or any
number of other possibilities. The malicious code runs
under the process context of the application it is attacking.
Thus, if the application has root- or administrator-level
privileges, the code will run as root and be able to execute
any command. If the application is not running as root,
the attacker can still use a buffer overflow exploit to load
a privilege escalation exploit which would then give the
desired root privileges. Thus, buffer overflow exploits are
very useful to attackers [7].
4.2. Heap Exploitation
Memory on the heap is dynamically allocated by the
application at run-time and typically contains program
data. Exploitation is performed by corrupting this data in
specific ways to cause the application to overwrite
internal structures such as linked list pointers. The
canonical heap overflow technique overwrites dynamic
memory allocation linkage (such as malloc metadata) and
uses the resulting pointer exchange to overwrite a
program function pointer [3].
A common misconception by programmers is that by
dynamically allocating memory (utilizing heaps) they can
avoid using the stack, and thus, reduce the likelihood of
exploitation. While stack overflows may be the low-
hanging fruit, utilizing heaps does not instead eliminate
the possibility of exploitation [8].
Heap-based overflows act similarly to stack-based
overflows, but overflow buffers on the heap. Return into-
libc exploits use buffer overflows on the stack or heap to
cause execution of code in the system’s own libc library.
These newer techniques provide new avenues of buffer
overflow attack that are more and more difficult to detect
and prevent [7].
5. Latest attacks
A brief description of the latest attacks (for the month
of June 2010 only) from several security websites:
http://cve.mitre.org
 CVE-2010-2287 Buffer overflow in the
SigComp Universal Decompressor Virtual
Machine dissector in Wireshark 0.10.8 through
1.0.13 and 1.2.0 through 1.2.8 has unknown
impact and remote attack vectors.
 CVE-2010-2284 Buffer overflow in the ASN.1
BER dissector in Wireshark 0.10.13 through
1.0.13 and 1.2.0 through 1.2.8 has unknown
 impact and remote attack vectors. CVE-2010-
2102 Buffer overflow in Webby Webserver 1.01
allows remote attackers to execute arbitrary code
via a long HTTP GET request.
 CVE-2010-2028 Buffer overflow in
k23productions TFTPUtil GUI (aka TFTPGUI)
1.4.5 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary
code via a long transport mode.
 CVE-2010-2009 Stack-based buffer overflow in
the media library in BS.Global BS.Player 2.51
build 1022, 2.41 build 1003, and possibly other
versions allows user-assisted remote attackers to
execute arbitrary code via a long ID3 tag in a
.MP3 file. NOTE: some of these details are
obtained from third party information.
 CVE-2010-2004 Stack-based buffer overflow in
BS.Global BS.Player 2.51 Build 1022 Free, and
possibly other versions, allows user-assisted
remote attackers to execute arbitrary code via the
Skin parameter in the Options section of a skins
file (.bsi), a different vulnerability than CVE-
2009-1068 [4].
http://web.nvd.nist.gov
 CVE-2010-2185
Summary: Buffer overflow in Adobe Flash
Player before 9.0.277.0 and 10.x before
10.1.53.64, and Adobe AIR before 2.0.2.12610,
might allow attackers to execute arbitrary code
via unspecified vectors.
Published: 06/15/2010
 CVE-2010-2167
Summary: Multiple heap-based buffer overflows
in Adobe Flash Player before 9.0.277.0 and 10.x
before 10.1.53.64, and Adobe AIR before
2.0.2.12610, might allow attackers to execute
arbitrary code via unspecified vectors.
Published: 06/15/2010
 CVE-2010-1937
Summary: Heap-based buffer overflow in
httpAdapter.c in httpAdapter in SBLIM SFCB
before 1.3.8 might allow remote attackers to
execute arbitrary code via a Content-Length
HTTP header that specifies a value too small for
the amount of POST data, aka bug #3001896.
Published: 06/15/2010
CVSS Severity: 10.0 (HIGH)
 CVE-2010-2287
Summary: Buffer overflow in the SigComp
Universal Decompressor Virtual Machine
dissector in Wireshark 0.10.8 through 1.0.13 and
1.2.0 through 1.2.8 has unknown impact and
remote attack vectors.
Published: 06/15/2010
CVSS Severity: 8.3 (HIGH)
 CVE-2010-2284
Summary: Buffer overflow in the ASN.1 BER
dissector in Wireshark 0.10.13 through 1.0.13
and 1.2.0 through 1.2.8 has unknown impact and
remote attack vectors.
Published: 06/15/2010
CVSS Severity: 8.3 (HIGH)
 CVE-2009-4893
Summary: Buffer overflow in UnrealIRCd
3.2beta11 through 3.2.8, when
allow::options::noident is enabled, allows remote
attackers to cause a denial of service (crash) and
possibly execute arbitrary code via unspecified
vectors.
Published: 06/15/2010
CVSS Severity: 6.8 (MEDIUM)
 CVE-2010-0990
Summary: Stack-based buffer overflow in
Creative Software AutoUpdate Engine ActiveX
Control 2.0.12.0, as used in Creative Software
AutoUpdate 1.40.01, allows remote attackers to
execute arbitrary code via vectors related to the
BrowseFolder method.
Published: 06/15/2010
CVSS Severity: 10.0 (HIGH)
 CVE-2010-1961
Summary: Buffer overflow in ovutil.dll in
ovwebsnmpsrv.exe in HP OpenView Network
Node Manager (OV NNM) 7.51 and 7.53 allows
remote attackers to execute arbitrary code via
unspecified variables to jovgraph.exe, which are
not properly handled in a call to the sprintf
function.
Published: 06/10/2010
CVSS Severity: 10.0 (HIGH)
 CVE-2010-1960
Summary: Buffer overflow in the error handling
functionality in ovwebsnmpsrv.exe in HP
OpenView Network Node Manager (OV NNM)
7.51 and 7.53 allows remote attackers to execute
 arbitrary code via a long, invalid option to
jovgraph.exe.
Published: 06/10/2010
CVSS Severity: 10.0 (HIGH)
 CVE-2010-1850
Summary: Buffer overflow in MySQL 5.0
through 5.0.91 and 5.1 before 5.1.47 allows
remote authenticated users to execute arbitrary
code via a COM_FIELD_LIST command with a
long table name.
Published: 06/08/2010
CVSS Severity: 6.0 (MEDIUM)
http://secunia.com
 Secunia Advisory SA40197: Date released
16/06/2010
File Sharing Wizard "Content-Length" Buffer
Overflow Vulnerability
Description
A vulnerability has been discovered in File
Sharing Wizard, which can be exploited by
malicious people to compromise a vulnerable
system.
The vulnerability is caused due to a boundary
error when processing HTTP requests. This can
be exploited to cause a stack-based buffer
overflow via an HTTP request having an overly
long "Content-Length" header.
Successful exploitation may allow execution of
arbitrary code.
The vulnerability is confirmed in demo version
1.5.0. Other versions may also be affected.
Solution
Restrict access to the HTTP service by using e.g.
a firewall.
 Secunia Advisory SA40195: Date released
16/06/2010
Rosoft Audio Converter Playlist Processing
Buffer Overflow
Description
A vulnerability has been reported in Rosoft
Audio Converter, which can be exploited by
malicious people to compromise a user's system.
The vulnerability is caused due to a boundary
error when processing playlist files. This can be
exploited to cause a buffer overflow by tricking a
user into e.g. loading a specially crafted M3U
file and converting an overly long entry.
Successful exploitation may allow execution of
arbitrary code.
The vulnerability is reported in version 4.4.4.
Other versions may also be affected.
Solution
Do not open untrusted playlist files.
 Secunia Advisory SA40141: Date released
15/06/2010
XnView MBM Processing Buffer Overflow
Vulnerability
Description
Mauro Olea has discovered a vulnerability in
XnView, which can be exploited by malicious
people to compromise a user's system.
The vulnerability is caused due to an error when
processing certain MBM (MultiBitMap) files,
which can be exploited to cause a heap-based
buffer overflow by e.g. tricking a user into
opening a specially crafted MBM file.
The vulnerability is confirmed in version 1.97.4.
Prior versions may also be affected.
Solution
Update to version 1.97.5.
 Secunia Advisory SA40153: Date released
15/06/2010
AnNoText AdvoAkte KeyHelp ActiveX Control
Buffer Overflow Vulnerability
Description
Nikolas Sotiriu has reported vulnerability in
AnNoText AdvoAkte, which can be exploited by
malicious people to compromise a user's system.
The vulnerability is caused due to a boundary
error in the included third party
KeyHelp.KeyCtrl.1 ActiveX control
(KeyHelp.ocx).
Solution
Set the kill-bit for the affected ActiveX control.
 Secunia Advisory SA40119: Date released
14/06/2010
Kodak Ofoto Upload Manager ActiveX Buffer
Overflow Vulnerabilities
Description
Some vulnerabilities have been discovered
in the Kodak Ofoto Upload Manager
ActiveX control, which can be exploited by
malicious people to compromise a user's
system.
The vulnerabilities are caused due to
 boundary errors in the
axofupld.OFUploadMgr.1 ActiveX Control
(axofupld.dll) when processing property
assignments. These can be exploited to
cause heap-based buffer overflows via
overly long strings assigned to e.g. the
"SITEURL", "UPLOADURL",
"SESSIONID", or "SOURCEID" properties.
Successful exploitation of the vulnerabilities
allows execution of arbitrary code.
The vulnerabilities are confirmed in version
1.0.1.54. Other versions may also be
affected.
Solution
Microsoft has set the kill-bit via MS10-034.
6. Prevention
Some prevention techniques:
 Code auditing (automated or manual)
 Developer training – bounds checking, use of
unsafe functions, and group standards
 Non-executable stacks – many operating systems
have at least some support for this
 Compiler tools – StackShield, StackGuard, and
Libsafe, among others
 Safe functions – use strncat instead of strcat,
strncpy instead of strcpy, etc
 Patches – Be sure to keep your web and
application servers fully patched, and be aware
of bug reports relating to applications upon
which your code is dependent.
 Periodically scan your application with one or
more of the commonly available scanners that
look for buffer overflow flaws in your server
products and your custom web applications [9].
7. Conclusion
The buffer overflow vulnerability can be considered as
a real threat in security systems.
The first step which allows it to occur is wrong
programming skills of developers and it is very difficult
to monitor each and every line of code. The different
techniques mentioned before will be effective only if the
programmers themselves build up this culture.
It remains no doubt that this vulnerability is a very serious
one and the fact that till date so many cases have been
reported and under investigation shows its severity and
impact.
8. References
[1] Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie
and Jonathan Walpole, “Buffer overflows attacks and
defenses for the vulnerability of the decade,” Oregon
Graduate Institute of Science & Technology.
[2] Marc.E Donaldson, “Inside the buffer overflow attack
mechanism method & prevention”, SANS Institute.
[3] Buffer Overflow on Wikipedia [online]. Available:
http://en.wikipedia.org/wiki/Buffer_overflow
[4] Search result of Buffer overflow on
http://cve.mitre.org [online]. Available:
http://cve.mitre.org/cgi-bin/cvekey.cgi?
keyword=buffer+overflow
[5] Search result of Buffer overflow on
http://web.nvd.nist.gov [online]. Available:
http://web.nvd.nist.gov/view/vuln/search-results?cid=2
[6] Zhimin Gu Jiandong Yao Jun Qin, “Buffer Overflow
Attacks on Linux Principles Analyzing and Protection”,
Beijing Institute of Technology
[7] M. Barnes, “Buffer overflow exploits: the why and
how”, McAfee April 2005
[8] Eric Chien and Péter Ször.” Blended Attacks Exploits,
Vulnerabilities and Buffer-Overflow Techniques in
Computer Viruses”, Symantec Security Response
[9]Buffer overflow on http://www.owasp.org [online].
Available:
http://www.owasp.org/index.php/Buffer_Overflows
[10] Search result of Buffer overflow on
http://secunia.com [online]. Available:
http://secunia.com/advisories/search/?
search=buffer+overflow