|
| |
| | Buffer overflow - Wikipedia, the free encyclopedia |
 | | Constructing functional buffer overflow exploits in Windows typically requires knowledge of the precise location of various machine language opcodes in the compromised software or included DLLs, because the location of the stack cannot be reliably predicted. | | | In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store more data in a buffer than there is memory allocated for it. | | | Buffer overflows are thus avoided by maintaining a high degree of correctness in code which performs buffer management. |
|
http://en.wikipedia.org/wiki/Buffer_overrun
(2065 words)
|
|
| |
| | What is a buffer overflow attack? |
| | Buffer overflow attacks involve sending overly long input streams to the attacked server, causing the server to overflow parts of the memory and either crash the system or execute the attacker's arbitrary code as if it was part of the server's code. | | | If the programmer allocates a buffer of a specific size and the attacker provides an input longer than the defined size, the input would most probably overflow the buffer and override other parts of the stack, including the function's return address that resides on the stack. | | | Buffer overflow attacks are prevented by enforcing boundary checking on input received from users. |
|
http://www.imperva.com/application_defense_center/glossary/buffer_overflow.html
(809 words)
|
|
| |
| | Hello World - Attack Class: Buffer Overflows |
| | Buffer overflow vulnerabilities therefore represent a class of security problem of great importance to computer users, whether they be programmers, system administrators or users. | | | Buffer overflows in suid programs are generally classed as local vulnerabilities - that is, in order to exploit them, an attacker must have interactive login access to the target machine. | | | The l0pht has issued a number of advisories about buffer overflows in Windows software and has in some cases provided exploit code. |
|
http://www.cosc.brocku.ca/~cspress/HelloWorld/1999/04-apr/attack_class.html
(4593 words)
|
|
| |
| | BufferOverflow / Internet Security Lectures by Prabhaker Mateti |
| | Further imagine that the original value was provided by an untrusted user, and that the copying is part of a process to pass a resulting computation to a function. | | | Exceeding array bounds is referred to in security circles as "buffer overflow." These are by far the most common security problems in software. | | | This general approach is recommended by the GNU programming guidelines, since it permits programs to handle arbitrarily-sized inputs (until they run out of memory). |
|
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/BufferOverflow
(2833 words)
|
|
| |
| | Infosecwriters.com |
| | Buffer overflows are the result of stuffing more data into a programs buffer or input device than is defined/allowed for in the program. | | | Commonly buffer overflows are exploited to change the flow in a programs execution, so that it points to a different memory address or overwrites crucial memory segments. | | | A starting point for this tutorial requires the readers to have a simple understanding of the C programming language, the way the stack and memory is organised, and asm knowledge is helpfull though not essential. |
|
http://www.infosecwriters.com/texts.php?op=display&id=134
(2620 words)
|
|
| |
| | Secure programmer: Countering buffer overflows |
| | The buffer need not be on the stack at all -- it could be dynamically allocated memory in the heap (also called the "malloc" or "new" area), or in some statically located memory (such as "global" and "static" memory). | | | An attacker may be able to exploit a buffer overflow by changing the value of other data in the function; none of these approaches counter that. | | | This strengthens the protection of ssp; this means a buffer overflow can't modify a pointer value (otherwise an attacker who can control a pointer can control where the program saves data using the pointer). |
|
http://www-106.ibm.com/developerworks/linux/library/l-sp4.html
(6107 words)
|
|
| |
| | Buffer Overflow Attacks and Their Countermeasures Linux Journal |
| | Buffer overflow attaks are possible in windows environment also. | | | The advantage of a dynamic string library is that the problem of buffer management for strings (and/or other kinds of memory buffers) is completely solved for you. | | | You check before you copy: if the source string is too long, it's either a programming error, in which case there should be an assert(), or the user needs to be notified that she exceeded hard-coded limits (or the code needs to be fixed so that it doesn't have a hard-coded limit. |
|
http://www.linuxjournal.com/article.php?sid=6701
(4585 words)
|
|
| |
| | Analysis of Buffer Overflow Attacks |
| | In fact, due to the nature of buffer overflow flaws associated with the possibility that the attacker can execute arbitrary code, it is possible to develop a range of different activities constrained only by available space (although this problem can also be circumvented) and access privileges. | | | Since operating systems use different system function calls, an individual approach is needed, depending on the OS environment under which the code must run and the goal it is being aimed at. | | | If, in addition, these functions operate on a local buffer and there is the possibility to redirect the process execution flow to anywhere we want, we will be successful in accomplishing an attack. |
|
http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html
(4247 words)
|
|
| |
| | AMD chips include buffer overflow protection - Computerworld |
| | Otherwise, if the overflow exception was caused by a malicious attack, rather than a programming error, the new code can open the way for the attacker to place software programs known as "trojans" inside the PC, giving that attacker control of the PC, Crank said. | | | Older microprocessors such as the venerable Alpha chip used a form of this technology, but it was designed to protect more specific hardware exploits rather than the general buffer overflow technique used against today's PCs and servers, Crank said. | | | AMD's technology is new, as far as the x86 chip world is concerned, said Dean McCarron, principal analyst with Mercury Research Inc. in Cave Creek, Ariz. The x86 instruction set runs most of Intel Corp.'s and AMD's processors. |
|
http://www.computerworld.com/printthis/2004/0,4814,89091,00.html
(595 words)
|
|
| |
| | Introduction: Buffer Overflow Vulnerabilities - The Community's Center for Security |
| | As described by Farrow, "because programs are not perfect, programmers have come up with schemes to defend against buffer overflow attacks." (Farrow, 2002) One technique entails enforcing the computer to use the stack and the heap for data only and to never to execute any instructions found there. | | | In order to make sense of how a buffer is overflowed, one must understand what a buffer is. A program contains code that accesses variables stored in various locations in memory. | | | This approach can work for UNIX systems, but it can't be used on Windows systems. |
|
http://www.linuxsecurity.com/content/view/118881
(1161 words)
|
|
| |
| | Cisco Security Advisory: Buffer Overflow in UNIX VPN Client |
| | The problem has been resolved by adding better tests for buffer overflows and by removing unnecessary setuid permissions on executable files in the software package as provided. | | | In lieu of installing fixed software, the vulnerability can be mitigated by removing the setuid permissions on the vpnclient binary executable file as shown below. | | | Note that the cvpnd daemon, another one of the binary executable files in the software package, retains setuid permissions to preserve its ability to change the configuration of the network interface. |
|
http://www.cisco.com/warp/public/707/cisco-unix-vpnclient-buffer-overflow-pub.shtml
(1188 words)
|
|
| |
| | [No title] |
| | And, "stack-based" buffer overflows occur here, we stuff more data than a data structure, say an array, can hold, we exceed the boundaries of the array overriding many important data. | | | Within the function, without bounds checking we copied the whole large_one to the foo, overflowing all the way foo and some other data. | | | EBP-20 As you can guess, when we load more than 8 bytes to foo1 and more than 12 bytes for foo2, we will have overflowed their space. |
|
http://www.enderunix.org/docs/eng/bof-eng.txt
(2026 words)
|
|
| |
| | [No title] |
| | So our 5 byte buffer is really going to take 8 bytes (2 words) of memory, and our 10 byte buffer is going to take 12 bytes (3 words) of memory. | | | Some basic definitions before we begin: A buffer is simply a contiguous block of computer memory that holds multiple instances of the same data type. | | | As such any null bytes in our shellcode will be considered the end of the string, and the copy will be terminated. |
|
http://www.phrack.org/phrack/49/P49-14
(2759 words)
|
|
| |
| | Glossary of Network Security Terms WatchGuard Technologies, Inc. |
| | If the programmer did not write his program to discard extra input (e.g., if instead of a phone number, someone submitted one thousand characters), the input can overflow the amount of memory allocated for it, and break into the portion of memory where code is executed. | | | A skillful hacker can exploit this flaw to make someone's computer execute the hacker's code. | | | The program allows some virtual memory for accepting the expected input. |
|
http://www.watchguard.com/glossary/b.asp
(677 words)
|
|
| |
| | Buffer overflow |
| | If the program being attacked is running in privileged mode (as root in Unix or Administrator on Windows NT or 2000), the attack code inherits those privileges and has full rights to the system. | | | But if the programmer didn't perform error checking on the input string because he assumed that the user would know what to enter, a hacker could input thousands of bytes worth of data to achieve the overflow condition. | | | Today, however, hackers attempt to exploit them to either crash a target machine or to run malicious code on it, for example, worms. |
|
http://www.networkworld.com/details/746.html
(901 words)
|
|
| |
| | MFSA 2005-30: GIF heap overflow parsing Netscape extension 2 |
| | An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine. | | | MFSA 2005-30: GIF heap overflow parsing Netscape extension 2 | | | Title: GIF heap overflow parsing Netscape extension 2 |
|
http://www.mozilla.org/security/announce/mfsa2005-30.html
(141 words)
|
|
| |
| | What is buffer overflow? - A Word Definition From the Webopedia Computer Dictionary |
| | Malicious hackers can launch buffer overflow attacks wherein data with instructions to corrupt a system are purposely written into a file in full knowledge that the data will overflow a buffer and release the instructions into the computer’s instructions. | | | You are in the: Small Business Computing Channel | | | The condition wherein the data transferred to a buffer exceeds the storage capacity of the buffer and some of the data “overflows” into another buffer, one that the data was not intended to go into. |
|
http://www.webopedia.com/TERM/b/buffer_overflow.html
(159 words)
|
|
| |
| | Adobe Reader buffer overflow - Gentoo - Xatrix Security |
| | An attacker may create a specially-crafted PDF file, enticing a user to open it. | | | An attacker may create a specially-crafted PDF file, enticing a user to | | | This could trigger a buffer overflow as the file is being loaded, resulting in the execution of arbitrary code. |
|
http://www.xatrix.org/advisory.php?s=6746
(207 words)
|
|
| |
| | buffer overflow |
| | Just like the Y2K problem occurred because of the common coding mistake of using 2-digits, the buffer overflow bug is caused by a typical mistake of not double-checking input, and allowing large input (like a login name of a thousand characters) "overflow" into some other region of memory, causing a crash or a break-in. | | | This is an excellent articles that thoroughly explains the problem, but requires some programming expertise in order to understand it. | | | The buffer overflow attack is one of the most common on the Internet. |
|
http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/buffer_overflow
(110 words)
|
|
| |
| | CVE-2004-0940 (under review) |
| | Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error. | | | Therefore, this candidate may be modified or even rejected in the future. | | | Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. |
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940
(127 words)
|
|
| |
| | Microsoft Security Bulletin MS03-037 |
| | Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. | | | This is a buffer overrun vulnerability that could allow an attacker to run arbitrary code of their choice on a user's machine in the security context of that user, if the user were to open a specially malformed document. | | | A buffer overrun exists which if exploited successfully could allow an attacker to execute code of their choice in the context of the logged on user. |
|
http://www.microsoft.com/technet/security/bulletin/MS03-037.mspx
(2016 words)
|
|
| |
| | Dictionary.com/buffer overflow |
| | The Free On-line Dictionary of Computing, © 1993-2005 Denis Howe | | | time, a short line buffer can result in lossage as input | | | line buffer can result in lossage as input from a long line |
|
http://dictionary.reference.com/search?q=buffer%20overflow
(279 words)
|
|
| |
| | Secunia - Advisories - Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability |
| | A vulnerability has been reported in Adobe Reader and Adobe Acrobat, which potentially can be exploited by malicious people to compromise a user's system. | | | Successful exploitation may allow execution of arbitrary code. | | | The vulnerability is caused due to an unspecified boundary error in the core application plug-in and can be exploited to cause a buffer overflow when a specially crafted file is opened. |
|
http://secunia.com/advisories/16466
(377 words)
|
|
| |
| | Koffice heap buffer overflow - Mandrake - Xatrix Security |
| | An attacker could provide a specially crafted RTF file, which when opened in KWord can cause execution of abitrary code. | | | An attacker could provide a specially crafted RTF file, which | | | Chris Evans reported a heap based buffer overflow in the RTF importer of KWord. |
|
http://www.xatrix.org/advisory.php?s=7085
(151 words)
|
|
| |
| | Gentoo Linux Documentation -- zlib: Buffer overflow |
| | An attacker could construct a malformed data stream, embedding it within network communication or an application file format, potentially resulting in the execution of arbitrary code when decoded by the application using the zlib library. | | | A buffer overflow has been discovered in zlib, potentially resulting in the execution of arbitrary code. | | | A bounds checking operation failed to take invalid data into account, allowing a specifically malformed deflate data stream to overrun a buffer. |
|
http://www.gentoo.org/security/en/glsa/glsa-200507-05.xml
(134 words)
|
|
| |
| | VuXML: acroread -- buffer overflow |
| | If a malicious file were opened it could trigger a buffer overflow as the file is being loaded into Adobe Acrobat and Adobe Reader. | | | The identified vulnerability is a buffer overflow within a core application plug-in, which is part of Adobe Acrobat and Adobe Reader. | | | A buffer overflow can cause the application to crash and increase the risk of malicious code execution. |
|
http://www.vuxml.org/openbsd/5c518cb6-1159-11da-a4ba-000b5d77b0f5.html
(94 words)
|
|
| |
| | Mozilla Firefox Link Buffer Overflow Allows Arbitrary Code Execution - MozillaZine Talkback |
| | The security vulnerability is caused by a bug in the way long links with dashes are handled and is reported to allow an attacker to execute arbitrary code on a victim's system. | | | 1) we're not going to post a working exploit in public 2) in this case we don't have a working exploit to give anyone, just proof of a buffer overrun 3) details on how to exploit a heap buffer overrun in general are available on many hacker sites. | | | The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. |
|
http://www.mozillazine.org/talkback.html?article=7307
(3212 words)
|
|
| |
| | LWN: A new Firefox buffer overflow |
| | But even before that, it was not hard to write portability layers to hide such problems, and opportunities for buffer overflows, leaks, and heap corruption are greatly reduced if standard STL classes (such as std::vector) are used instead of fixed-length buffers or arrays allocated by malloc or new. | | | Technical Details: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. | | | The C++ standard has been official for 7 years now, and the problems described in your quote are largely a thing of the past. |
|
http://lwn.net/Articles/150999
(2033 words)
|
|
|
