Dark Mode

Settings

Capec-100 Detail

Overflow Buffers

Standard Software Likelihood: High Typical Severity: Very High

Parents: 123

Children: 8 9 10 14 24 42 44 45 46 47 67 256

Threats: T62

Description

Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.

Not present

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
Exploit

  1. Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

  1. Targeted software performs buffer operations.
  2. Targeted software inadequately performs bounds-checking on buffer operations.
  3. Adversary has the capability to influence the input to buffer operations.
  1. None: No specialized resources are required to execute this type of attack. Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system.
Low High
In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content.
In cases of directed overflows, where the motive is to divert the flow of the program or application as per the adversaries' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel.
Integrity Availability Authorization Access Control Confidentiality
Execute Unauthorized Commands (Run Arbitrary Code) Unreliable Execution Gain Privileges Gain Privileges Execute Unauthorized Commands (Run Arbitrary Code)
Execute Unauthorized Commands (Run Arbitrary Code) Gain Privileges
  1. The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.
  2. Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an adversary not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process.

We use cookies to ensure you get the best experience on our website.