Inside the Mind of a Hacker: Attacking the Memory

In the previous two chapters of this series, we talked about how a hacker can conduct attacks with SQL injection and OS command injection. These software weaknesses are in the top two positions in the SANS Top 25. Now we move on to the programming flaw at No. 3: buffer overflow.

Buffer overflow is caused by improper memory management in C/C++ code. Memory flaws are a major producer of zero-day issues and are extremely dangerous. In fact, the price of a memory flaw on the black market would be higher than the price of an SQL injection. It would climb even higher if the flaw is found in a commonly used software such as Adobe Reader, Adobe Flash or web browsers.

In the first article of the series, I mentioned Pwn2Own, a contest held during the CanSecWest security conference. The payouts topped $500,000 in 2014, with over a dozen new vulnerabilities found in Adobe Reader, Adobe Flash Player, Internet Explorer 11, Google Chrome and Mozilla Firefox. Vupen, a company that specializes in selling zero-days to the highest bidder, found 11 of these issues for a prize of $400,000.

Many the zero-days disclosed at Pwn2Own are memory flaws — for example, CVE-2012-1876, which is a buffer overflow in Internet Explorer, or CVE-2014-1303, a buffer overflow in Apple Safari.

How a Hacker Uses Memory Flaws in Cyber Espionage

These types of flaws are coveted by attackers for a simple reason: Using such a vulnerability gives the attacker complete control over the victim’s machine. The actor can change the instructions of the vulnerable application while the program is loaded in the memory. As a result, the bad guys can download malware and pivot from the affected machine into an internal network.

Threatpost gave the example of an attack conducted by a Chinese espionage group. The attackers used a buffer overflow vulnerability in Flash Player.

The attack was planted in a widget on the Forbes website. When the victim visited Forbes, the vulnerable Adobe Plugin downloaded and executed malicious code. The malware immediately started to collect information about the compromised computer and its network environment.

Watch the on-demand webinar: Uncover What’s Inside the Mind of a Hacker

About the Programming Flaw

Let’s look at an example of a simple C program that validates a password.

C code vulnerable to Buffer Overflow due to use of the 'gets' function

The code does not perform any validation on the length of the user input and does not bother ensuring that sufficient memory was allocated to store the data coming from the user.

The table below shows the memory representation for our vulnerable program, where \0 stands for the null character:

Table showing memory allocation for variables

If the user enters more than 16 “A” characters in the verification password, it will override the information stored at the 0x0111 address.

Representation of the program memory when buffer overflow is being employed.

You can see how, with a sufficient amount of characters and the corresponding null characters, the attacker can eventually bypass the simple password verification in the example program.

Even worse, the attacker could overwrite the section in the memory that holds instructions, causing the execution of arbitrary code as shown in the simplistic representation below.

Representation of program memory

Protecting From Memory Attacks

Programming languages such as Java have long addressed the problem of memory management. If you must write C/C++ code please keep the following best practices in mind:

  • Use safe functions. For example fgets (…) allows you to limit the size of the input; fgets (userPass, 16, stdin) resolves the problem. Other examples of such functions are strncpy, snprintf and strncmp.
  • Ensure that the size of the input matches the size of the allocated memory.
  • Avoid employing user input as format string arguments. This can lead to another memory flaw: format string injection.
  • Be careful both when allocating memory and when releasing memory. Use-after-free is another type of memory flaw where the program keeps a reference to a location of the memory. Data at that location can be arbitrarily modified.
  • Use safe compiler flags. Such flags enable operating system defenses that make the insertion of arbitrary commands very difficult. For example, address space layout randomization is a Windows protection mechanism.

Conclusion

We have seen that C/C++ code is an area of exposure to memory flaws. Much of the software we rely on in our day-to-day internet activities is exposed to such risks. Even a minor slip in handling memory can cause a significant security issue with wide repercussions, allowing bad guys to take over innocent users who are browsing a trusted website. Memory in programming must be handled with care.

Uncover What’s Inside the Mind of a Hacker – Watch the on-demand webinar

Share this Article:
Paul Ionescu

IBM X-Force Ethical Hacking Team Lead

Paul Ionescu leads the Security Engineering program for the IBM Security Systems division. He also manages a team of highly skilled security experts tasked with pen-testing IBM products: the IBM X-Force Ethical Hacking Team. Since he joined IBM in 2007 he worked in several areas of the Application Security business including support, technical sales, technical enablement and development. Before taking on his current role Paul was a senior developer for the AppScan line of products and contributed to key projects and research. Paul also holds an IBM Master Inventor title for his contribution to the IBM patent base.