Buffer overflow Vulnerabilities, Exploits & Attacks

 

Buffer overflow attack - ManageEngine Vulnerability Manager Plus

What is buffer overflow?

The programs that make up all applications consists of buffers. Buffers are temporary spaces that are allocated in the memory to hold data, until they are moved to other parts of the program. The bytes of data that a buffer can contain will be specified initially during the development of the code. Due to the absence of any kinds of bounds checking mechanism, if the size of the input entered surpasses the size allocated to that buffer, it overflows, hence overwriting the data stored in adjacent buffers or in the program itself. This is called as a buffer overflow and this vulnerability acts as an easy target to attackers on the hunt for an exploit.

Why is buffer overflow a vulnerability?

The excess data fed to the program during a buffer overflow exploit, might even be a malicious piece of code meant to take complete control of the OS, damage files or steal data, making it a vulnerability that comes with heavy repercussions. Even if attackers can't gain access to the full operating system, they might very well stop programs from running or worse, cause Denial of Service.

Amongst the different types of vulnerabilities that exist, buffer overflow vulnerabilities are one of earliest ones to be exploited. Even though modern programming languages come in-built with various techniques to evade such attacks, security trends reveal that the last 5 years show a sudden spike in the number of such vulnerabilities. This points to the obvious fact that as applications tighten security by reducing the vulnerabilities they contain, attackers reciprocate by coming up with newer methods to carry out an exploit. Hence, as an enterprise you can't just rely on your vendors to render you with secure and flawless software, it is essential that you have a proper vulnerability assessment and management solution installed in the first place. Vulnerability Manager Plus does a comprehensive job at this by not just identifying such vulnerabilities, but also effectively presenting you with the means that are needed to address or mitigate them.

What are the types of buffer overflows?

  • Stack-based buffer overflow:

    Stack is the space in the memory that is used to store user input. Stack-based buffer overflow attacks are those that occur due to the leveraging of these memory spaces. Most of the attacks that take place are stack-based. In fact, the first ever buffer-overflow exploit that occurred in 1986 also belonged to this type. The Morris worm attack" popularly considered as Internets first major security attack, is a testimony to the impact that these attacks can have over the IT world. 
  • Heap-based buffer overflow:

    These exploits are very difficult to accomplish and hence occur less commonly when compared to stack-based buffer overflow exploits. The memory space saved for the actual program is considered as the heap, and is attacked in a heap-based exploit. 

Buffer Overflow examples:

Let us take a look at a few simple scenarios where such a vulnerability has been exploited.

  • Consider a program written to grant the user access to a system. The user will be asked to input the password, and if the password is right, he will be granted access to the system. Now let us assume that the user inputs a bogus password of a greater length, than which the buffer can hold. A buffer overflow occurs in this scenario. Even though the password entered is incorrect, the program will still end up giving the user access to the system, as the adjacent memory which holds the checking condition for the password will get overwritten by the excess data given during the password entry.
  • Such attacks can also be done with the motive of modifying the return address. These exploits can be used to corrupt the memory and divert the normal flow of execution of a program. It can be achieved by overwriting the memory location holding the return address with the excess data used to accomplish the buffer overflow. An attacker can hence control how the code execution pans out by including arbitrary code in the newly added return address.
  • Flooding the input with data majorly exceeding the allotted buffer space can also cause the system to crash and can be used for facilitating DDOS attacks. 

How to prevent buffer overflow attacks?

With the seriousness of such attacks now brought to light, let us understand how to prevent them. Vulnerability Manager Plus can be used as a pro-active tool in such scenarios, as they are efficiently packed with multiple ways to handle the same issue.

  • Address space layout randomization (ASLR).

    Even though buffer overflows usually occur in older programming languages like C and C++ due to the lack of bounds checking, more advanced languages can still fall prey to such exploits. They still continue to occur, because of how easy it is for the attackers to guess the position of processes and functions in the memory. ASLR can essentially solve this by randomizing the address spaces that might be potential targets to such attacks. When a buffer overflow exploit is attempted, an incorrect address space location will be called for due to the attackers lack of knowledge about the randomization. This will cause crashing of the target application hence stopping the attack and alerting the system. ASLR usually comes automatically enabled in all recent version of Windows, however there exists exceptions. They might be just exceptions, but they will definitely cost your enterprise a hefty sum. But don't let it bother you, Vulnerability Manager Plus has got you covered. Using this unique vulnerability scanning and managing tool you will be given 100% visibility of such security misconfigurations along with additional options to enable ASLR immediately. 
  • Data Execution Prevention (DEP).

    Data Execution Prevention prevents certain sectors of the memory from being executed. Using DEP, the person writing the code can choose not to execute the stack or even other unnecessary parts of the program. This means that an attacker will not be able to use a buffer overflow attack to add arbitrary code onto the stack and expect it to run successfully. Like ASLR, DEP also comes automatically enabled in all recent versions of Windows. But with a ton of configurations for the admin to manage, the chances of it being accidentally disabled are plenty. Vulnerability Manager Plus does an exuberant job by immediately identifying, reporting and remediates such mishaps. 
  • Structured Exception Handler Overwrite Protection (SEHOP).

    Structured exception handling (SEH) is an exception handling mechanism used to handle errors and exceptions that arise during the normal execution of an application's code. This exception handler can be manipulated and overwritten by buffer overflows, as they are usually present in the stack, hence causing SEH exploits and forcing the applications to shut down. Structured Exception Handling Overwrite Protection (SEHOP)  is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Vulnerability Manager Plus does a robust job at scanning all your enterprises endpoints to ensure SEHOP is enabled hence protecting you from a ton of such exploits.
  • Patch Buffer Overflow Vulnerabilities.

    In the off chance that such a vulnerability has entered your network despite all your management efforts, Vulnerability Manager Plus will have your back. You can gain complete visibility of all the vulnerabilities that exist in your network, along with detailed information of what caused the vulnerability. This comprehensive vulnerability assessment and management solution goes one step forward by not only identifying vulnerabilities like buffer overflows but also presenting the ways to remediate them in the form of patches. You can effortlessly deploy patches for all the discovered vulnerabilities instantly right from the Vulnerability Manager Plus console.

As dangerous as these buffer overflow exploits can get, they can easily be prevented with a vulnerability scanning and remediating solution in place. Hurry! Download Vulnerability Manager Plus now and explore its variety of functionalities free for a trial period of 30 days!