| Name |
Overflow Buffers |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
| Prerequisites |
Targeted software performs buffer operations. Targeted software inadequately performs bounds-checking on buffer operations. Adversary has the capability to influence the input to buffer operations. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management. |
|
| 2 |
Experiment |
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. |
- Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.
|
| 3 |
Experiment |
[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing. |
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
|
| 4 |
Exploit |
[Overflow the buffer] Using the injection vector, the adversary injects the crafted overflow content into the buffer. |
|
|
| Solutions | Use a language or compiler that performs automatic bounds checking. Use secure functions not vulnerable to buffer overflow. If you have to use dangerous functions, make sure that you do boundary checking. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Use OS-level preventative functionality. Not a complete solution. Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-129 |
Improper Validation of Array Index |
| CWE-131 |
Incorrect Calculation of Buffer Size |
| CWE-680 |
Integer Overflow to Buffer Overflow |
| CWE-805 |
Buffer Access with Incorrect Length Value |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-123 |
An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory. |
|
| Taxonomy: WASC |
|
Entry ID
|
Entry Name
|
| 07 |
Buffer Overflow |
|
| Taxonomy: OWASP Attacks |
|
Entry ID
|
Entry Name
|
| Link |
Buffer overflow attack |
|