June 3, 2016 By Paul Ionescu 4 min read

In the previous two chapters of this series, we talked about how a hacker can conduct attacks with SQL injection and OS command injection. These software weaknesses are in the top two positions in the SANS Top 25. Now we move on to the programming flaw at No. 3: buffer overflow.

Buffer overflow is caused by improper memory management in C/C++ code. Memory flaws are a major producer of zero-day issues and are extremely dangerous. In fact, the price of a memory flaw on the black market would be higher than the price of an SQL injection. It would climb even higher if the flaw is found in a commonly used software such as Adobe Reader, Adobe Flash or web browsers.

In the first article of the series, I mentioned Pwn2Own, a contest held during the CanSecWest security conference. The payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox. Vupen, a company that specializes in selling zero-days to the highest bidder, found 11 of these issues for a prize of $400,000.

Many the zero-days disclosed at Pwn2Own are memory flaws — for example, CVE-2012-1876, which is a buffer overflow in Internet Explorer, or CVE-2014-1303, a buffer overflow in Apple Safari.

How a Hacker Uses Memory Flaws in Cyber Espionage

These types of flaws are coveted by attackers for a simple reason: Using such a vulnerability gives the attacker complete control over the victim’s machine. The actor can change the instructions of the vulnerable application while the program is loaded in the memory. As a result, the bad guys can download malware and pivot from the affected machine into an internal network.

Threatpost gave the example of an attack conducted by a Chinese espionage group. The attackers used a buffer overflow vulnerability in Flash Player.

The attack was planted in a widget on the Forbes website. When the victim visited Forbes, the vulnerable Adobe Plugin downloaded and executed malicious code. The malware immediately started to collect information about the compromised computer and its network environment.

Watch the on-demand webinar: Uncover What’s Inside the Mind of a Hacker

About the Programming Flaw

Let’s look at an example of a simple C program that validates a password.

The code does not perform any validation on the length of the user input and does not bother ensuring that sufficient memory was allocated to store the data coming from the user.

The table below shows the memory representation for our vulnerable program, where \0 stands for the null character:

If the user enters more than 16 “A” characters in the verification password, it will override the information stored at the 0x0111 address.

You can see how, with a sufficient amount of characters and the corresponding null characters, the attacker can eventually bypass the simple password verification in the example program.

Even worse, the attacker could overwrite the section in the memory that holds instructions, causing the execution of arbitrary code as shown in the simplistic representation below.

Protecting From Memory Attacks

Programming languages such as Java have long addressed the problem of memory management. If you must write C/C++ code please keep the following best practices in mind:

  • Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass, 16, stdin) resolves the problem. Other examples of such functions are strncpy, snprintf and strncmp.
  • Ensure that the size of the input matches the size of the allocated memory.
  • Avoid employing user input as format string arguments. This can lead to another memory flaw: format string injection.
  • Be careful both when allocating memory and when releasing memory. Use-after-free is another type of memory flaw where the program keeps a reference to a location of the memory. Data at that location can be arbitrarily modified.
  • Use safe compiler flags. Such flags enable operating system defenses that make the insertion of arbitrary commands very difficult. For example, address space layout randomization is a Windows protection mechanism.

Conclusion

We have seen that C/C++ code is an area of exposure to memory flaws. Much of the software we rely on in our day-to-day internet activities is exposed to such risks. Even a minor slip in handling memory can cause a significant security issue with wide repercussions, allowing bad guys to take over innocent users who are browsing a trusted website. Memory in programming must be handled with care.

Uncover What’s Inside the Mind of a Hacker – Watch the on-demand webinar

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today