How buffer overflows work...

Joshua · 08-25-2003, 01:00 PM

Is Your Buffer Overflowing?

A W2KNews reader wrote last week to ask that we give a little
background on what a buffer overflow is and how it is used to
enable virus or Trojan attacks. To fully understand how these
attacks work, you need some programming knowledge, but here's
the short form: A buffer is a holding place in memory where data
is stored temporarily. It's created by the programmer so that
different processes that operate at different speeds can work
together without one impeding the operation of the others. The
program will allocate a specified amount of memory for the
buffer. If a process tries to put more data in the buffer than
is allocated, you get an overflow. When that happens, the extra
data can overwrite data in other buffers that are adjacent in
memory to the overflowing one. If the adjacent area in memory is
one that holds program instructions, the extra data can
overwrite the instructions with new ones.

Buffer overflows can be intentionally created by hackers, who
include in the extra data code that provides malicious
instructions to the computer that's the target of the attack.

Our reader also asked why this type of error is so prevalent in
Microsoft products. Actually, buffer overflow vulnerability is
not limited to Windows or any specific platform. The real
culprit is the C programming language. UNIX and Linux are also
subject to buffer overflows and thus to attacks that exploit
them. In fact, a Google search on "buffer overflow attacks"
turns up numerous articles related to non-Microsoft operating
systems. One of the first famous attacks that used a buffer
overflow (of the UNIX service called "finger") was the Internet
Worm of 1988.

johnnymk · 08-26-2003, 05:43 AM

Is this similar to swapfile? Can it be customized on newer OS?

Joshua · 08-26-2003, 08:57 AM

Swapfile is on the physical hard drive and is used as virtual memory. The system keeps current and high use data in RAM and moves lesser used data to the pagefile.

What they are referring to is the RAM space all the space in RAM is addressed, meaning you can actually choose a specific place in RAM to store the data that your program is producing OR the program itself.

As to whether it can be customized, I don't think I understand your question. If you mean can you use the space as a user, YES!

You can create a RAM drive. Basically you can make Windows see a specific amount of RAM space as a drive letter. The cool part of this is that it is REALLY fast. The problem is that as soon as you reboot or power down your machine, you will lost everything in the RAM drive.

rajatQ2 · 08-27-2003, 05:27 PM

Johnny,
A buffer is much lower-level than a swap file. They are pretty unrelated. A buffer has only a short lifespan; the programmer creates the buffer to wait for his input, then once the buffer is full, you can process that info, and free up the buffer for more incoming data, or have it stop listening.

The swap file on the other hand, can be thought of as another memory area, like your ram, except much slower. Most of the time, the OS handles all the paging, which means transferring data between main memory and the swap file. Application programmers don't have much control over it, and, logically speaking (but who knows what happens at M$), the pagefile should not be succeptible to any exterior attacks, such as buffer overflow attacks. The main reason is, you can never predict what the OS will have stored at a specific location on a specific computer, in their page file.

However, if you know that a specific service is running on a machine, say IIS for example, then you can systematically send it arguments of all different sorts until you find a buffer you can overflow! M$ runs _Tons_ of concurrent services, so exploit as many as you can!! For example the latest worms exploit the Dcom vulnerabilities. THat is just one of the services you've probably got running now and don't know anything about.

That will either make the whole process clearer to you or confuse you a lot

-rb

johnnymk · 08-30-2003, 04:22 PM

Thanks, guys

rajatQ2 · 08-31-2003, 07:46 PM

Oh, Just for reference, here is the string that was used by the Code Red worm to overflow a buffer in IIS web server:
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
When used, that allows the exploiting process to access System space and gain control of the system.

See all those X's? Its probably way too much for whatever buffer is there.

Thanks microsoft. I pulled that from my Apache logs on my LINUX box

08-25-2003, 01:00 PM	#1
Joshua Rear Admiral Upper Half Join Date: Jan 2001 Location: Long Island, NY Posts: 3,390	How buffer overflows work... Is Your Buffer Overflowing? A W2KNews reader wrote last week to ask that we give a little background on what a buffer overflow is and how it is used to enable virus or Trojan attacks. To fully understand how these attacks work, you need some programming knowledge, but here's the short form: A buffer is a holding place in memory where data is stored temporarily. It's created by the programmer so that different processes that operate at different speeds can work together without one impeding the operation of the others. The program will allocate a specified amount of memory for the buffer. If a process tries to put more data in the buffer than is allocated, you get an overflow. When that happens, the extra data can overwrite data in other buffers that are adjacent in memory to the overflowing one. If the adjacent area in memory is one that holds program instructions, the extra data can overwrite the instructions with new ones. Buffer overflows can be intentionally created by hackers, who include in the extra data code that provides malicious instructions to the computer that's the target of the attack. Our reader also asked why this type of error is so prevalent in Microsoft products. Actually, buffer overflow vulnerability is not limited to Windows or any specific platform. The real culprit is the C programming language. UNIX and Linux are also subject to buffer overflows and thus to attacks that exploit them. In fact, a Google search on "buffer overflow attacks" turns up numerous articles related to non-Microsoft operating systems. One of the first famous attacks that used a buffer overflow (of the UNIX service called "finger") was the Internet Worm of 1988. __________________ The Apexer formerly known as SnotRocket. "Like I **ing said, "Ok, so I hear it may be a repost. Blah But I had never seen it, so..." ** you Canta." -Jenny 12/4/2003

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-26-2003, 05:43 AM	#2
johnnymk Chief of Naval Operations Join Date: May 2000 Location: LEVITTOWN< PA> USA Posts: 13,621	Is this similar to swapfile? Can it be customized on newer OS?

08-26-2003, 08:57 AM	#3
Joshua Rear Admiral Upper Half Join Date: Jan 2001 Location: Long Island, NY Posts: 3,390	Swapfile is on the physical hard drive and is used as virtual memory. The system keeps current and high use data in RAM and moves lesser used data to the pagefile. What they are referring to is the RAM space all the space in RAM is addressed, meaning you can actually choose a specific place in RAM to store the data that your program is producing OR the program itself. As to whether it can be customized, I don't think I understand your question. If you mean can you use the space as a user, YES! You can create a RAM drive. Basically you can make Windows see a specific amount of RAM space as a drive letter. The cool part of this is that it is REALLY fast. The problem is that as soon as you reboot or power down your machine, you will lost everything in the RAM drive.

08-27-2003, 05:27 PM	#4
rajatQ2 Commander Join Date: Jan 2001 Location: boston, ma Posts: 1,020	Johnny, A buffer is much lower-level than a swap file. They are pretty unrelated. A buffer has only a short lifespan; the programmer creates the buffer to wait for his input, then once the buffer is full, you can process that info, and free up the buffer for more incoming data, or have it stop listening. The swap file on the other hand, can be thought of as another memory area, like your ram, except much slower. Most of the time, the OS handles all the paging, which means transferring data between main memory and the swap file. Application programmers don't have much control over it, and, logically speaking (but who knows what happens at M$), the pagefile should not be succeptible to any exterior attacks, such as buffer overflow attacks. The main reason is, you can never predict what the OS will have stored at a specific location on a specific computer, in their page file. However, if you know that a specific service is running on a machine, say IIS for example, then you can systematically send it arguments of all different sorts until you find a buffer you can overflow! M$ runs _Tons_ of concurrent services, so exploit as many as you can!! For example the latest worms exploit the Dcom vulnerabilities. THat is just one of the services you've probably got running now and don't know anything about. That will either make the whole process clearer to you or confuse you a lot -rb

08-30-2003, 04:22 PM	#5
johnnymk Chief of Naval Operations Join Date: May 2000 Location: LEVITTOWN< PA> USA Posts: 13,621	Thanks, guys

08-31-2003, 07:46 PM	#6
rajatQ2 Commander Join Date: Jan 2001 Location: boston, ma Posts: 1,020	Oh, Just for reference, here is the string that was used by the Code Red worm to overflow a buffer in IIS web server: /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a When used, that allows the exploiting process to access System space and gain control of the system. See all those X's? Its probably way too much for whatever buffer is there. Thanks microsoft. I pulled that from my Apache logs on my LINUX box

User Name
Password
Remember Me?