Introduction to Hacker Intermediate technology buffer overflow attack

As we all know, buffer overflow is a common and extremely dangerous loophole, which exists widely in various operating systems and applications. The use of buffer overflow attacks can lead to the failure of programs, system restarts, and other consequences.
More seriously, it can be used to execute non-authoritative instructions, and even gain system privileges to perform various illegal operations.

Buffer overflow attacks have multiple names in English: Buffer overflow,buffer overrun,smash The Stack,trash the stack,scribble the stack, the stack, memory Leak,overrun Screw; They refer to the same means of attack. The first buffer overflow attack –morris worm, which occurred ten years ago, has caused more than 6,000 network servers worldwide to crash.

In this paper, the principle of buffer overflow is analyzed.

Research on various types of buffer overflow vulnerabilities and attack methods;

Finally, it will focus on a variety of defensive tools to address the impact of these vulnerabilities.

First, the principle of buffer overflow

By writing content beyond its length to the program's buffer, the buffer overflows, thereby destroying the program's stack and allowing the program to execute other instructions in order to achieve the purpose of the attack. The cause of the buffer overflow is that the user input parameters are not carefully checked in the program. For example, the following program:

void function (char *str) {

Char buffer[16]; Array overflow

strcpy (BUFFER,STR);

}

The strcpy () above will copy the contents of STR directly into buffer. As long as the length of STR is greater than 16, it will cause buffer overflow and make the program run in error. There are standard functions such as strcpy such as strcat (), sprintf (), vsprintf (), Get (), scanf () and so on.

Of course, simply filling in the buffer to cause it to overflow will generally only appear "segmentation error" (segmentation fault), but not to achieve the purpose of the attack. The most common approach is to make the program run a user shell by making a buffer overflow, and then execute other commands through the shell. If the program is rooted and has suid permissions, the attacker obtains a root-privileged shell that can perform arbitrary operations on the system.

Buffer overflow attacks are a common security attack means because buffer overflow vulnerabilities are too common and easy to implement. Also, a buffer overflow is the primary means of a remote attack because the buffer overflow vulnerability gives the attacker everything he wants: implant and execute the attack code. The injected attack code runs a program with a buffer overflow vulnerability with certain privileges to gain control of the attacked host.

Of the 5 remote attacks that the Lincoln lab used to evaluate intrusion detection in 1998, 2 were buffer overflows. Of the 13 recommendations cert in 1998, 9 were related to buffer overruns, and in 1999, at least half of the recommendations were related to buffer overruns. In Bugtraq's survey, 2/3 of respondents considered buffer overflow vulnerabilities to be a serious security issue.

Buffer overflow vulnerabilities and attacks come in many forms, and they are described and categorized in the second section. The corresponding defense means also vary depending on the attack method, as described in section fourth, which includes an effective defense against each type of attack.

Second, buffer overflow vulnerabilities and attacks

The purpose of a buffer overflow attack is to disrupt the functionality of a program that has certain privileges to run, which allows an attacker to take control of the program, and if the program has sufficient permissions, the entire host is controlled. In general, an attacker attacks the root program and executes a shell similar to "exec (SH)" execution code to gain root privileges. To achieve this goal, the attacker must achieve the following two goals:

1. Arrange the appropriate code in the program's address space.

   1. With the appropriate initialization register and memory, the program jumps to the address space that the intruder arranges for execution.

The buffer overflow attacks are categorized according to these two targets.

In section Two, 1, you will describe how the attack code is placed in the address space of the attacking program.

In section Two, 2, you will learn how an attacker can overflow a program's buffer and perform a transfer to the attack code (this is the origin of the "overflow").

In section Two, 3, the code that is discussed in the first two sections is combined with the techniques that control the process of executing the program.

Two. 1 methods for arranging the appropriate code in the program's address space

There are two ways to arrange the attack code in the address space of the attacked program:

1. Implant Method:

The attacker enters a string into the attacked program, and the program puts the string in the buffer. This string contains information about the sequence of instructions that can be run on the compromised hardware platform. Here, the attacker uses the buffer of the attacking program to hold the attack code. Buffers can be set anywhere: stacks (stack, automatic variables), heap (heap, dynamically allocated memory area), and static data areas.

2. Take advantage of existing code:

Sometimes, the attacker wants code that is already in the program being attacked (the code itself has an overflow problem), and all the attackers have to do is pass some parameters to the code. For example, the attack code requires exec ("/bin/sh"), while the code in the LIBC library executes "exec (ARG)", where Arg makes a pointer to a string parameter, then the attacker simply redirect the incoming parameter pointer to "/BIN/SH".

Two. 2 How the control program moves to the attack code

All of these methods are seeking to change the execution process of the program to jump to the attack code. The most basic is to overflow a buffer without boundary checks or other weaknesses, which disrupts the normal execution order of the program. By spilling a buffer, an attacker could use the brute force method to rewrite the adjacent program space and skip the system's check directly.

The baseline for classification is the type of program space that an attacker seeks for a buffer overflow. In principle, there can be arbitrary space. In fact, many buffer overflows are using brute force methods to seek to change the program pointer. The difference between such programs is that the breakout of the program space and the location of the memory space are different. There are mainly the following three kinds: 1, activity record (Activation Records):

Whenever a function call occurs, the caller leaves an activity record in the stack that contains the address returned at the end of the function. The attacker points the return address to the attack code by spilling an automatic variable in the stack. By changing the return address of the program, when the function call ends, the program jumps to the address set by the attacker, not the original address. This type of buffer overflow is called a stack overflow attack (smashing Attack), which is the most commonly used buffer overflow attack mode.

2. function pointer (functions pointers):

function pointers can be used to locate any address space. For example: "Void (* foo) ()" Declares a function pointer variable foo with a return value of void. So an attacker could simply find an overflow buffer near the function pointer in any space and then overflow the buffer to change the function pointer. At some point, when a program invokes a function through a function pointer, the program's process is implemented according to the attacker's intent. One of its attack paradigms is the Superprobe program under the Linux system.

3. Long jump Buffer (Longjmp buffers):

A simple inspection/recovery system, called SETJMP/LONGJMP, is included in the C language. It means to set "setjmp" at the checkpoint and use "longjmp" to restore the checkpoint. However, if an attacker is able to enter the buffer space, then "longjmp" is actually the code that jumps to the attacker. Like a function pointer, the LONGJMP buffer can point to anywhere, so what an attacker has to do is find a buffer that can overflow. A typical example would be a buffer overflow vulnerability in Perl 5.003, where an attacker would first enter the longjmp buffer used to recover a buffer overflow and then induce the recovery mode so that the Perl interpreter jumps to the attack code.

Two. A comprehensive analysis of 3 code implantation and Process Control techniques

The simplest and most common type of buffer overflow attack is the combination of code insertion and activity logging techniques in a single string. An attacker locates an automatic variable that can be overrun, and then passes a large string to the program, inserting the code while triggering a buffer overflow and altering the activity record. This is the template of the attack identified by Levy. Because C is accustomed to only creating very small buffers for users and parameters, instances of this vulnerability attack are common.

Code implantation and buffer overflow do not have to be done within a single action. An attacker could place code within a buffer, which is a buffer that cannot overflow. The attacker then transfers a pointer to the program by spilling another buffer. This approach is typically used to resolve situations where the buffer that is available for overflow is not large enough to let go of all the code.

If an attacker tries to use an already resident code rather than an external implant, they will usually have to call the code as a parameter. For example, part of the code snippet in libc (which almost all C programs want to connect to) executes "exec (something)", where somthing is the parameter. The attacker then uses a buffer overflow to change the program's parameters and then uses another buffer overflow to point the program pointer to a specific code snippet in libc.

The experimental analysis of buffer overflow attack

In January 2000, the Cerberus security team released a buffer overflow vulnerability that existed in Microsoft's IIS 4/5. The vulnerability could be exploited to cause the Web server to crash and even get super privileges to execute arbitrary code. At present, Microsoft's IIS 4/5 is a mainstream Web server program, thus, the buffer overflow vulnerability to the security of the site poses a great threat; it is described as follows:

The browser makes an HTTP request to IIS, after the domain name (or IP address), plus a file name, which is suffixed with ". htr". So IIS thinks the client is requesting an ". htr" file, and the ". htr" extension file is imaged as an ISAPI (Internet Service API) application, and IIS resets the request to ISM for all ". htr" resources. DLL program, ISM. DLL to open the file and execute it.

The file name contained in a browser-submitted request is stored in a local variable buffer, which, if it is longer than 600 characters, causes the local variable buffer to overflow, overwriting the return address space and causing IIS to crash. Further, a well-designed code can be implanted in the buffer, allowing it to run with system super privileges.

Four, the protection method of buffer overflow attack

Buffer overflow attacks account for the overwhelming majority of remote network attacks, which can give an anonymous Internet user the opportunity to gain some or all of the control of a single host. If a buffer overflow vulnerability can be effectively eliminated, a large percentage of security threats can be mitigated.

There are currently four basic ways to protect buffers from buffer overflow attacks and effects.

1. The buffer is not executable through the operating system, which prevents an attacker from implanting the attack code.

2. The method of forcing the correct code to be written.

3. Use the compiler's boundary check to implement buffer protection. This method makes buffer overflow impossible, thus completely eliminating the threat of buffer overflow, but only relatively.

————————————————————————————————————

"The article originates from the network, pays tribute to the original author deeply"

Introduction to Hacker Intermediate technology buffer overflow attack