Buffer overflow

Short bio

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

History

Buffer overflows date back to the 1970s. However, it wasn’t until the late 1980s that the first documented case of exploiting a buffer overflow had occurred, where the UNIX “finger” service was exploited with a stack overflow to further spread the Morris worm.

Today, buffer overflows still occur in software applications, and their exploitability can depend on several different factors, including compilers and/or compiler options used, along with the security features of the operating system.

Common infection method

In the simplest scenario using the stack, an overflow overwrites data on the stack to include the return pointer, having it point to an address where an attacker’s code will be executed.

Overflows are seen in exploits targeting web applications and are delivered on the web mostly through exploit kits.

However, overflow exploits can also be delivered in other ways that do not require any user interaction, including sending malformed data to the listening port on an enterprise server application.

Associated families

Common types of overflows are:

  • Stack overflow
  • Heap overflow
  • Integer overflow

Remediation

Application vendors with potential buffer overflow vulnerabilities in their software typically issue patches as a remedy.

However, in some cases a vendor is unaware of the overflow vulnerability affecting their software. Unfortunately, many times when this happens the vendor only learns of an overflow after it has been abused by malware authors and cybercriminals. For this reason, it is always important to use software from trusted vendors along with exploit protection software.

When an overflow vulnerability is documented but there is no patch from the software vendor, the best thing to do is disable or uninstall the software until the overflow vulnerability has been fixed with a patch from the vendor.

Aftermath

Most of the time, a buffer overflow raises a memory access violation, causing the application where the overflow occurred to crash.

Successful exploitation of an overflow by an attacker can allow arbitrary code execution which can lead to malware installation. If malware is installed, it will need to be removed using an antivirus or anti-malware program.

Avoidance

Having application developers use secure programming practices can greatly reduce the chance of exploitable overflows within software applications. However, this does not guarantee that an application may still not be vulnerable.

Using exploit protection software is a good idea when trying to protect against undocumented (zero-day) vulnerabilities.

Examples

In source code…

int main() { double x[1048576]; //stack variable is too large! return 0; }

In CVEs…

CVE-2015-5118 CVE-2014-0099

Screenshots

RELATED THREATS

MALWARE

Trojan dropper

Short bio Downloaders and droppers are helper programs for various types of malware such as Trojans and rootkits. Usually they are implemented...

CONTINUE READING
PUPs

Toolbars

Short bio Toolbars are software extensions that are visible in the GUI of the host program. In the case of PUPs,...

CONTINUE READING
EXPLOIT KITS

Sweet Orange

Short bio Sweet Orange is a type of exploit kit, or in other words, malicious code found on compromised websites with the...

CONTINUE READING
Scam

Social media bots

Short bio A bot, also known as a zombie, automatically performs a task or set of tasks usually under the command...

CONTINUE READING
Mobile

SMS Trojan

Short bio These Trojans use the SMS (text) messaging services of a mobile device to send and intercept messages. The user...

CONTINUE READING
Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams