A buffer overflow is a vulnerability in memory usage that can be exploited by attackers. It occurs when more data can be copied into a buffer (memory area) than it can process.
The most relevant today are stack buffer overflows and heap buffer overflows. Stack and heap are elements of RAM that are made available to the executing program by the operating system.
A buffer overflow occurs when data is copied using functions that do not check for length - or when a programmer uses such a function and does not check for length. This is not the case with buffer overflow Malware, but about exploiting a vulnerability.
If such a function writes more data to a buffer than it can hold without a length check, an overflow occurs: buffer overflow. In this case, memory areas that are reserved for other purposes and do not belong to this buffer are overwritten.
In the best case scenario, the program or system crashes. If the input stream is carefully chosen, the attacker can, in the worst case scenario, gain control over the program flow and execute targeted code. This works by writing shellcode (code that results in shell access) to the buffer and attempting to describe the memory area that contains the return address. If you check the return address, you can try to jump to the shellcode and it will be executed.
Vulnerabilities like buffer overflow do not necessarily have to be exploited by their discoverers. Anyone who discovers a vulnerability in a program can inform the manufacturer about it. This then has the opportunity to fix the vulnerability with an update.
In our post about Zero-day exploits you can read how we from per sec what to do if we encounter such a vulnerability.
An effective countermeasure for buffer overflow is, for example, DEP (Data Execution Prevention), which marks memory areas as non-executable and can therefore prevent the execution of shellcode.
ASLR (Address Layout Randomization) is a technique that randomly changes the addresses of functions in memory. This makes the targeted manipulation of return addresses more difficult.
A third countermeasure is stack smashing protection. Their measures include storing the return address outside the stack and generating a control value (canary) from the return address. These measures make manipulation of the return address noticeable.
If the buffer overflow vulnerability is successfully exploited, you act with the rights that the program or service has on the system. The prerequisite for this is role-based rights management. This means that if an attacker takes over a web or mail server, for example, he will only receive the limited rights that this service has.
The situation is different with system services. With the SMB vulnerability Eternalblue, after the exploit has been successfully exploited, you act as “NT-Authority\System” (account with the highest rights on a local Windows system).
If exploitation is not successful, the program or system usually crashes, resulting in a “denial of service”.
Format string attacks or vulnerabilities belong to the class of programming errors in the form of a lack of “user input validation” by the developer. A commonly used function in the “C” programming language is printf(), “print formatted”. This is a function from the string processing family. Its functionality consists of outputting a string and, if desired, also transferred values (e.g. inputs) in a desired formatting - i.e. an instruction on how a string is to be assembled.
Inputs and values are also stored in the stack. If a programmer does not specify a format (e.g. %s or %d), this means that it is not precisely defined which data type is expected (input validation). There is a risk that the input will be interpreted by the system as a command.
If an attacker has the opportunity to partially or completely determine the contents of the format string, he can trigger a buffer overflow.
If the “printf” function is given format specifications by an attacker, for example, it looks for a value for each supplied specification, which is then output in the specified form - from its stack!
Depending on the application and context, this can be return addresses, values of variables, pointers, function parameters or even information provided by users.
“C” is often shown in examples of format string attacks, but one should not fall victim to the fallacy that such attacks are only limited to this programming language. Python is also vulnerable to this and it is not without reason that the WSTG (Web Security Testing Guide) includes a subcategory “Testing for Format String Injection” in the “Input Validation Testing” module – after all, many backend applications such as web servers are also in C or C++ written.
As already mentioned above under “Countermeasures for Buffer Overflow”, ASLR also helps against format string attacks.
However, the best and most effective countermeasure is for developers to introduce input validation by regulating the intended length, banning certain characters, specifying format specifications and sanitizing external input before passing it to the application. A clean and security-conscious programming standard as well as source code screening by specialists are also crucial.
