In the previous two chapters of this series, we talked about how a hacker can conduct attacks with SQL injection and OS command injection. These software weaknesses are in the top two positions in the SANS Top 25. Now we move on to the programming flaw at No. 3: buffer overflow.
Buffer overflow is caused by improper memory management in C/C++ code. Memory flaws are a major producer of zero-day issues and are extremely dangerous. In fact, the price of a memory flaw on the black market would be higher than the price of an SQL injection. It would climb even higher if the flaw is found in a commonly used software such as Adobe Reader, Adobe Flash or web browsers.
In the first article of the series, I mentioned Pwn2Own, a contest held during the CanSecWest security conference. The payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox. Vupen, a company that specializes in selling zero-days to the highest bidder, found 11 of these issues for a prize of $400,000.
How a Hacker Uses Memory Flaws in Cyber Espionage
These types of flaws are coveted by attackers for a simple reason: Using such a vulnerability gives the attacker complete control over the victim’s machine. The actor can change the instructions of the vulnerable application while the program is loaded in the memory. As a result, the bad guys can download malware and pivot from the affected machine into an internal network.
Threatpost gave the example of an attack conducted by a Chinese espionage group. The attackers used a buffer overflow vulnerability in Flash Player.
The attack was planted in a widget on the Forbes website. When the victim visited Forbes, the vulnerable Adobe Plugin downloaded and executed malicious code. The malware immediately started to collect information about the compromised computer and its network environment.
About the Programming Flaw
Let’s look at an example of a simple C program that validates a password.
The code does not perform any validation on the length of the user input and does not bother ensuring that sufficient memory was allocated to store the data coming from the user.
The table below shows the memory representation for our vulnerable program, where \0 stands for the null character:
If the user enters more than 16 “A” characters in the verification password, it will override the information stored at the 0x0111 address.
You can see how, with a sufficient amount of characters and the corresponding null characters, the attacker can eventually bypass the simple password verification in the example program.
Even worse, the attacker could overwrite the section in the memory that holds instructions, causing the execution of arbitrary code as shown in the simplistic representation below.
Protecting From Memory Attacks
Programming languages such as Java have long addressed the problem of memory management. If you must write C/C++ code please keep the following best practices in mind:
- Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass, 16, stdin) resolves the problem. Other examples of such functions are strncpy, snprintf and strncmp.
- Ensure that the size of the input matches the size of the allocated memory.
- Avoid employing user input as format string arguments. This can lead to another memory flaw: format string injection.
- Be careful both when allocating memory and when releasing memory. Use-after-free is another type of memory flaw where the program keeps a reference to a location of the memory. Data at that location can be arbitrarily modified.
- Use safe compiler flags. Such flags enable operating system defenses that make the insertion of arbitrary commands very difficult. For example, address space layout randomization is a Windows protection mechanism.
We have seen that C/C++ code is an area of exposure to memory flaws. Much of the software we rely on in our day-to-day internet activities is exposed to such risks. Even a minor slip in handling memory can cause a significant security issue with wide repercussions, allowing bad guys to take over innocent users who are browsing a trusted website. Memory in programming must be handled with care.