Buffer Overflows for Dummies (no code, just basics)
I’ve spent quite a bit of time this weekend trying to write my own buffer overflow, but I haven’t quite got it yet. I understand the principles behind it, but the devil is in the details. In case you didn’t know what a buffer overflow is, here’s a quick/simple and probably not 100% accurate description.
It all starts with a program that asks you for information. We’ll keep this simple, and I won’t use any code so I don’t lose those who aren’t code-monkeys. Let’s say there’s a program that asks you what your name is, then you type in your name, and then it saves whatever you typed into a file or a database, or it just outputs it back to the screen. Not a very useful program, but that’s what it does. When the program asks for your name it waits for your input, then it takes your input and stores it in the system’s memory until it goes to the next part of the program that does something with whatever you just typed in. This area in the memory where it stores whatever you typed in until the next part of the program runs is called the buffer. (I know, over-simplified, but work with me here.) As is always the case in programming, there’s dozens of ways to do all this, and some things just don’t work as well as others. For example, if you use strcpy() you’ll get potential buffer overflows. What happens is the program sets the size of the buffer (where your input is stored in memory) before it receives your input. Then strcpy() doesn’t check to see if the input is bigger than the buffer, so if the input is bigger than the buffer it still copies all the input, which results in the buffer being overflowed, and the next section in the system’s memory is overwritten. As an analogy (lots of holes in it but it gets the basic idea across), you have an 8.5×11 sheet of paper and your start writing on it, but what you write takes up more space than the 8.5×11 sheet of paper so you start writing on your desk. And that’s a buffer overflow error. The key to a buffer overflow exploit is to write over the right section of memory and to change what’s in that section to something more useful to you. I’ll try to explain this without any code. A program is broken up into smaller sections that perform specific tasks. The example above would have one section that asks for you name, another section that receives your name when you type it in, then another section which will output your name back to the screen. When a program finishes running a section of the program it is then told where to return to so it can know what to do next. Another bad analogy: you’ve been given a piece of paper with instructions to go somewhere (“Turn left on Main, go 2.5 miles, turn right on 15th…”). When you finish with ones section of the instructions you’ll return to your instructions to see what the next section is. A buffer overflow exploit will overwrite the section in memory that tells the program where to return to and overwrites it with a different location. So instead of returning to your directions on your piece of paper, you’ll look at directions from another piece of paper, which will end up leading you to the wrong location. So then you just need to make certain you get the program to end up at a location that has something useful for you. So how does this help? Some programs may run with a higher level of access than the person running the program. So the program will run as the root (or admin) user even though someone with limited privilege started the program. So if you can exploit this program with a buffer overflow, than you can run a command as root even though you don’t have root privileges. On a system you can log on to, you would spawn a shell which would essentially log you in as the root user. On a remote system you may install some kind of backdoor that would let you access the system remotely.
So, next time I say buffer overflow, you’ll know what I’m talking about.
As far as writing one goes, I’m still trying to pick up on some of the finer points. It seems to require a decent understanding of assembly, an area where I still have much to learn. But I’m close, I can feel it.
(Disclaimer)In case your wondering, I’m not planning on any criminal activity, but the ability to identify insecure programs and figure out how their exploited should help me keep my systems more secure, and it’s fun!
