Buffer overflow * attack Author: Cold Dew

When surfing the internet for a long time, the net user should know about buffer overflow, because it is indeed a well-known and very dangerous vulnerability, and it is a system or program, is a widely used vulnerability. A security vulnerability of the buffer overflow type is the most common and the most commonly used by hackers. Therefore, knowledge about buffer overflow is necessary for hackers, administrators, and average Internet users.

Concept and principle of Buffer Overflow

The buffer zone is the place where data is stored in the memory. When a program tries to place data in a certain location in the machine memory, a buffer overflow occurs because there is not enough space. Human overflow is attempted. Attackers write a string that exceeds the buffer length and then implant it into the buffer zone, if a super-long string is inserted into a buffer with a limited space, two results may occur. First, an excessively long string overwrites the adjacent storage unit, causing program running to fail, severe system crash may occur. Another result is that attackers can execute arbitrary commands and even obtain the system root privilege. Most of the causes of buffer overflow are caused by the program's failure to carefully check user input parameters.

A buffer is a continuous block in the machine memory when the program is running. It stores the given type of data, and problems may occur with the dynamic allocation of variables. To avoid occupying too much memory, a program with dynamic Variable Allocation decides how much memory to allocate to them only when running the program. In this case, if you want to add too long data to the program in the Dynamic Allocation buffer, it will overflow. A buffer overflow program uses this overflow data to put assembly language code into the machine's memory, which usually generates root permissions. This is not a good phenomenon. It is not the root cause of a single Buffer Overflow. However, if the commands are exceeded to a region where the commands can be run with root permissions, once these commands are run, the machine will be overwhelmed.

? Buffer Overflow Vulnerability attack methods

The buffer overflow vulnerability allows any hacker to gain control of the machine or even the highest privilege. Generally, the buffer overflow vulnerability is used to attack the root program. Most of them obtain the root shell by executing code similar to "exec (sh. To achieve the goal, hackers usually need to complete two tasks, that is, arrange the appropriate code in the program's address space and let the program jump to the arranged address space for execution through the appropriate initialization register and memory.

● Arrange proper code in the address space of the program:

In fact, it is relatively simple to arrange proper code in the address space of the program, but it also depends on luck. If the code to be attacked already exists in the attacked program, you can simply pass some parameters to the code and redirect the program to the target. The attack code must execute "exec ('/bin/Sh')", while the code in the libc library must execute "exec (arg )", when "arg" is a pointer parameter pointing to a string, you only need to modify the passed parameter pointer to "/bin/sh ", then jump to the response command sequence in the libc library and then OK. Of course, most of the time this possibility is very small, so we have to do it in a way called "implantation. When a string is input to the program to be attacked, the program will put the string in the buffer zone, the data contained in this string is a sequence of commands that can be run on the target hardware platform. The buffer can be located anywhere, such as the stack (automatic variable), heap (dynamically allocated), and static data zone (initialized or uninitialized data. You do not have to overflow any buffer for this purpose. You only need to find enough space to place these Attack codes.

● Transfer the control program to the form of attack code:

All these methods are seeking to change the execution process of the program and redirect it to the attack code. The most basic thing is to overflow a buffer without any check or other vulnerabilities, this will disrupt the normal execution order of the program. By overflowing a buffer, you can rewrite the space of similar programs and directly jump to the system to authenticate the identity. In principle, the buffer overflow program space for the attack can be any space. However, the positioning of different locations is different, so there are multiple transfer methods.

1. unction Pointers (function pointer)

In the program, "void (* foo) ()" declares a variable "foo" whose return value is "void" Function Pointers ". Function Pointers can be used to locate any address space. During the attack, you only need to find a buffer zone that can overflow in the Function Pointers adjacent to any space, and then use overflow to change Function Pointers. When a program calls a Function through Function Pointers, the process of the program is implemented. You can call the superprobe program in Linux to try it out.

2. ctivation Records (activation record)

When a function call occurs, an Activation Records record is stored in the stack, which includes the end of the function.

. Execute the overflow automatic variables to point the returned address to the attack code, and then change the return address of the program. When the function call ends, the program jumps to the preset address instead of the original address. Such overflow methods are also common. When using a vulnerability scan (SATAN in Unix or Retina in NT), You 'd better pay attention to the "stack smashing attack. Haha.

3. Longjmp buffers (Long Jump buffer)

The C language contains a simple test/recovery system called "setjmp/longjmp ",

Set "setjmp (buffer)" for the checkpoint and use longjmp (buffer) to restore the checkpoint. If you can enter the buffer space during the attack, you will feel that "longjmp (buffer)" is actually a jump to the attack code. Like Function Pointers, The longjmp buffer can point anywhere, so finding a buffer for overflow is the first thing to do.

● Embedded integrated code and Process Control

The common overflow buffer attack class integrates code implantation and ctivation Records in a string. During the attack, the system locates in an automatic variable that can overflow, and then transmits a large string to the program, code can be embedded when a buffer overflow changes ctivation Records (permission C only opens a small buffer for users and parameters ). Inserting code and buffer overflow do not have to be completed at one time. You can place the code in a buffer zone (this does not overflow the buffer zone), and then transfer the pointer of the program by overflow of another buffer zone. This method is generally used when a buffer for overflow cannot be put into all code. If you want to use a resident code without external implantation, you must first use the code as a parameter. Some code segments in libc (friends familiar with C should know that almost all C program connections are connected using it now) will execute "exec (something )", when something is a parameter, it uses buffer overflow to change the program parameters and uses another buffer overflow to point the program pointer to a specific code segment in libc.

If you are interested in buffer overflow, find the retina developed by eeye and find many hacker attack instances that are caused by the buffer overflow vulnerability of iis4.0. You can find information about them in http://www.safefan.com (the proud e network security group), as the Network Manager most familiar with them.

The network security caused by programming errors is also important, because the security of the program has been fully reflected by the buffer overflow.

Flood buffer overflow prevention

The buffer overflow vulnerability has been the biggest risk in the network security field since it was discovered and used. Many security personnel have carefully studied these vulnerabilities, however, the complete prevention of buffer overflow is often caused by such human factors or other factors. In this article, we will briefly describe several protection methods for the buffer overflow vulnerability.

? Write code correctly

I think that when writing code, no one may intentionally want to make an error, but the slightest error will often cause serious consequences (the C language is mostly a string ending with 0, is often a very unsafe example ). Therefore, correct coding is critical.

The most primitive way to avoid errors during compilation is to use gerp to find the library calls for vulnerabilities that are easy to generate in the source code. Like calling sprintf and strcpy, neither of these two functions checks the length of the parameter input. Some adopt sprintf and strcpy substitution functions during writing, but there will still be problems. Because of the concealment of these errors, the error checking tool faultin-jection occurs. Faultin-jection can detect code security vulnerabilities by manually generating some buffer overflow at any time. It can only be said that similar tools such as faultin-jection can reduce the number of buffer overflow vulnerabilities during writing, while completely absent is unrealistic. Because they really cannot find all the vulnerabilities that overflow the buffer. The vulnerability of repeated check code During writing can make the program more perfect and secure.

? Non-execution Buffer

In the old version of UNIX system, the data segment address space of the program is not executable, which makes it impossible for hackers to execute code During buffer zone implantation. However, for the current UNIX and Windows systems, considering the speed and usage of performance and functions, most of them dynamically put executable code in the data segment, to ensure program compatibility, it is impossible to use data segments of all programs for inter-executable purposes. However, by setting only the stack data segment, the program compatibility can be ensured to a great extent. Patches for UNIX, Linux, Windows, and Solaris have been released.

? Check array Boundary
When surfing the internet for a long time, the net user should know about buffer overflow, because it is indeed a well-known and very dangerous vulnerability, and it is a system or program, is a widely used vulnerability. A security vulnerability of the buffer overflow type is the most common and the most commonly used by hackers. Therefore, knowledge about buffer overflow is necessary for hackers, administrators, and average Internet users.