Buffer overflow

Posted: June 9, 2016

Short bio

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

History

Buffer overflows date back to the 1970s. However, it wasn’t until the late 1980s that the first documented case of exploiting a buffer overflow had occurred, where the UNIX “finger” service was exploited with a stack overflow to further spread the Morris worm.

Today, buffer overflows still occur in software applications, and their exploitability can depend on several different factors, including compilers and/or compiler options used, along with the security features of the operating system.

Common infection method

In the simplest scenario using the stack, an overflow overwrites data on the stack to include the return pointer, having it point to an address where an attacker’s code will be executed.

Overflows are seen in exploits targeting web applications and are delivered on the web mostly through exploit kits.

However, overflow exploits can also be delivered in other ways that do not require any user interaction, including sending malformed data to the listening port on an enterprise server application.

Associated families

Common types of overflows are:

  • Stack overflow
  • Heap overflow
  • Integer overflow

Remediation

Application vendors with potential buffer overflow vulnerabilities in their software typically issue patches as a remedy.

However, in some cases a vendor is unaware of the overflow vulnerability affecting their software. Unfortunately, many times when this happens the vendor only learns of an overflow after it has been abused by malware authors and cybercriminals. For this reason, it is always important to use software from trusted vendors along with exploit protection software.

When an overflow vulnerability is documented but there is no patch from the software vendor, the best thing to do is disable or uninstall the software until the overflow vulnerability has been fixed with a patch from the vendor.

Aftermath

Most of the time, a buffer overflow raises a memory access violation, causing the application where the overflow occurred to crash.

Successful exploitation of an overflow by an attacker can allow arbitrary code execution which can lead to malware installation. If malware is installed, it will need to be removed using an antivirus or anti-malware program.

Avoidance

Having application developers use secure programming practices can greatly reduce the chance of exploitable overflows within software applications. However, this does not guarantee that an application may still not be vulnerable.

Using exploit protection software is a good idea when trying to protect against undocumented (zero-day) vulnerabilities.

Examples

In source code…

int main()
{
double x[1048576]; //stack variable is too large!
return 0;
}

In CVEs…

CVE-2015-5118
CVE-2014-0099

Screenshots

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language