In the previous two chapters of this series, we talked about how a hacker can conduct attacks with SQL injection and OS command injection. These software weaknesses are in the top two positions in the SANS Top 25. Now we move on to the programming flaw at No. 3: buffer overflow.

Buffer overflow is caused by improper memory management in C/C++ code. Memory flaws are a major producer of zero-day issues and are extremely dangerous. In fact, the price of a memory flaw on the black market would be higher than the price of an SQL injection. It would climb even higher if the flaw is found in a commonly used software such as Adobe Reader, Adobe Flash or web browsers.

In the first article of the series, I mentioned Pwn2Own, a contest held during the CanSecWest security conference. The payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox. Vupen, a company that specializes in selling zero-days to the highest bidder, found 11 of these issues for a prize of $400,000.

Many the zero-days disclosed at Pwn2Own are memory flaws — for example, CVE-2012-1876, which is a buffer overflow in Internet Explorer, or CVE-2014-1303, a buffer overflow in Apple Safari.

How a Hacker Uses Memory Flaws in Cyber Espionage

These types of flaws are coveted by attackers for a simple reason: Using such a vulnerability gives the attacker complete control over the victim’s machine. The actor can change the instructions of the vulnerable application while the program is loaded in the memory. As a result, the bad guys can download malware and pivot from the affected machine into an internal network.

Threatpost gave the example of an attack conducted by a Chinese espionage group. The attackers used a buffer overflow vulnerability in Flash Player.

The attack was planted in a widget on the Forbes website. When the victim visited Forbes, the vulnerable Adobe Plugin downloaded and executed malicious code. The malware immediately started to collect information about the compromised computer and its network environment.

Watch the on-demand webinar: Uncover What’s Inside the Mind of a Hacker

About the Programming Flaw

Let’s look at an example of a simple C program that validates a password.

The code does not perform any validation on the length of the user input and does not bother ensuring that sufficient memory was allocated to store the data coming from the user.

The table below shows the memory representation for our vulnerable program, where \0 stands for the null character:

If the user enters more than 16 “A” characters in the verification password, it will override the information stored at the 0x0111 address.

You can see how, with a sufficient amount of characters and the corresponding null characters, the attacker can eventually bypass the simple password verification in the example program.

Even worse, the attacker could overwrite the section in the memory that holds instructions, causing the execution of arbitrary code as shown in the simplistic representation below.

Protecting From Memory Attacks

Programming languages such as Java have long addressed the problem of memory management. If you must write C/C++ code please keep the following best practices in mind:

  • Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass, 16, stdin) resolves the problem. Other examples of such functions are strncpy, snprintf and strncmp.
  • Ensure that the size of the input matches the size of the allocated memory.
  • Avoid employing user input as format string arguments. This can lead to another memory flaw: format string injection.
  • Be careful both when allocating memory and when releasing memory. Use-after-free is another type of memory flaw where the program keeps a reference to a location of the memory. Data at that location can be arbitrarily modified.
  • Use safe compiler flags. Such flags enable operating system defenses that make the insertion of arbitrary commands very difficult. For example, address space layout randomization is a Windows protection mechanism.

Conclusion

We have seen that C/C++ code is an area of exposure to memory flaws. Much of the software we rely on in our day-to-day internet activities is exposed to such risks. Even a minor slip in handling memory can cause a significant security issue with wide repercussions, allowing bad guys to take over innocent users who are browsing a trusted website. Memory in programming must be handled with care.

Uncover What’s Inside the Mind of a Hacker – Watch the on-demand webinar

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…