In the previous two chapters of this series, we talked about how a hacker can conduct attacks with SQL injection and OS command injection. These software weaknesses are in the top two positions in the SANS Top 25. Now we move on to the programming flaw at No. 3: buffer overflow.

Buffer overflow is caused by improper memory management in C/C++ code. Memory flaws are a major producer of zero-day issues and are extremely dangerous. In fact, the price of a memory flaw on the black market would be higher than the price of an SQL injection. It would climb even higher if the flaw is found in a commonly used software such as Adobe Reader, Adobe Flash or web browsers.

In the first article of the series, I mentioned Pwn2Own, a contest held during the CanSecWest security conference. The payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox. Vupen, a company that specializes in selling zero-days to the highest bidder, found 11 of these issues for a prize of $400,000.

Many the zero-days disclosed at Pwn2Own are memory flaws — for example, CVE-2012-1876, which is a buffer overflow in Internet Explorer, or CVE-2014-1303, a buffer overflow in Apple Safari.

How a Hacker Uses Memory Flaws in Cyber Espionage

These types of flaws are coveted by attackers for a simple reason: Using such a vulnerability gives the attacker complete control over the victim’s machine. The actor can change the instructions of the vulnerable application while the program is loaded in the memory. As a result, the bad guys can download malware and pivot from the affected machine into an internal network.

Threatpost gave the example of an attack conducted by a Chinese espionage group. The attackers used a buffer overflow vulnerability in Flash Player.

The attack was planted in a widget on the Forbes website. When the victim visited Forbes, the vulnerable Adobe Plugin downloaded and executed malicious code. The malware immediately started to collect information about the compromised computer and its network environment.

Watch the on-demand webinar: Uncover What’s Inside the Mind of a Hacker

About the Programming Flaw

Let’s look at an example of a simple C program that validates a password.

The code does not perform any validation on the length of the user input and does not bother ensuring that sufficient memory was allocated to store the data coming from the user.

The table below shows the memory representation for our vulnerable program, where \0 stands for the null character:

If the user enters more than 16 “A” characters in the verification password, it will override the information stored at the 0x0111 address.

You can see how, with a sufficient amount of characters and the corresponding null characters, the attacker can eventually bypass the simple password verification in the example program.

Even worse, the attacker could overwrite the section in the memory that holds instructions, causing the execution of arbitrary code as shown in the simplistic representation below.

Protecting From Memory Attacks

Programming languages such as Java have long addressed the problem of memory management. If you must write C/C++ code please keep the following best practices in mind:

  • Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass, 16, stdin) resolves the problem. Other examples of such functions are strncpy, snprintf and strncmp.
  • Ensure that the size of the input matches the size of the allocated memory.
  • Avoid employing user input as format string arguments. This can lead to another memory flaw: format string injection.
  • Be careful both when allocating memory and when releasing memory. Use-after-free is another type of memory flaw where the program keeps a reference to a location of the memory. Data at that location can be arbitrarily modified.
  • Use safe compiler flags. Such flags enable operating system defenses that make the insertion of arbitrary commands very difficult. For example, address space layout randomization is a Windows protection mechanism.


We have seen that C/C++ code is an area of exposure to memory flaws. Much of the software we rely on in our day-to-day internet activities is exposed to such risks. Even a minor slip in handling memory can cause a significant security issue with wide repercussions, allowing bad guys to take over innocent users who are browsing a trusted website. Memory in programming must be handled with care.

Uncover What’s Inside the Mind of a Hacker – Watch the on-demand webinar

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…