Buffer Overflows

Buffer Overflow Overview

Buffer overflows are the classic security vulnerability that have been around since the beginning of programming, and are still occurring everywhere today. Buffer overflows are very prevalent in software today and continue to be a bane of security professionals and software products.

A buffer overflow is where memory have been overwritten on the stack. Typically this can occur by sending a very large amount of data to the application and then injecting malicious attack at the end of this large data. The sending of this large amount of data is where the problems start. The input data should have been validated. It should have been cleansed and verified. But for some reason it was not :) Maybe that is why you are reading this site. Whatever the reason it has occurred. Hopefully before the product was released.

This large amount of data is copied. Typically copied to a prespecified amount of memory. Take for example you were attempting to copy an integer. But instead you send an enormous amount of data that is twice as big as the space of memory reserved for an integer. With an arbitrary copy, the data was too big. This data will be copied to the next location in memory and placed on the stack.

Now that the large data has been placed on the stack, sometime later this information will be pulled off of the stack and executed. This could be immediately, at some later time, or even used to just corrupt other data memory.

Imagine this occurring and now imagine what a malicious user could do with this type of vulnerability. It's up to you to discover this flaw and help in the process of identifying a fix.

What can a buffer overflow do?

A malicious user can use a known buffer overflow to cause havoc to a web application or website. A buffer overflow can be used to hack into the underlying server, to gain control of a portion of the website that normal can not occur, or launch programs/commands from the stack. A buffer overflow can be used to perform a Denial of Service (DoS) attack or a Distributed Denial of Service (DDoS) attack. A buffer overflow can be used to gain unprivileged access, or learn more about the architecture of the software application or product. Basically a buffer overflow is a crack in your software application that a malicious user can use to pry open not only your software, but the server it resides on, the entire website, or even the company's network. Buffer overflows need to be checked and tested for. Without a proper testing plan and security testing matrix, you will not know what to be prepared for.

How to protect against buffer overflows

To protect against buffer overflows, input validation is required. Any field, form entry, or any other method that input is received could be a potential point of vulnerability for a buffer overflow. This not only includes a form field, but HTTP headers that are consumed, XML interfaces, or any other type of input accepted. Broaden your mind and think of all the possible locations that input are accepted in your software application. There are a lot. The more you think about it the more area's that need to be tested for.

Some of the more simply things that a developer should perform are to set limits to the input's allowed size. Even though someone could have a name with 100 characters in it, limit the size of the field. You need to know exactly the size of the potential data that is coming up. This could be as simple as setting the HTML size tag in the input type field, or using some javascript to check the field and validate the input. But be warned this is not enough. A malicious user won't conform to using a browser that will automatically set the input size and use javascript to validate input. A malicious user could and will use something else. A malicious user will write his own code, use netcat, or some other form of a browser to get around these simple checks. The input must be validated within the web application's code itself.

To recap html form checking, try to do the following.

  • Limit HTML input tags with the html size tag
  • URL Encode all input, to protect against special characters
  • Use JavaScript to perform the initial input validation
  • Most important, the underlying code must verify and sanitize the input provided