Dark Mode
Capec-8 Detail
Buffer Overflow in an API Call
Detailed Software Likelihood: High Typical Severity: High
Parents: 100
Threats: T62
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-8 | capec | https://capec.mitre.org/data/definitions/8.html | |
| CWE-120 | cwe | http://cwe.mitre.org/data/definitions/120.html | |
| CWE-119 | cwe | http://cwe.mitre.org/data/definitions/119.html | |
| CWE-118 | cwe | http://cwe.mitre.org/data/definitions/118.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-680 | cwe | http://cwe.mitre.org/data/definitions/680.html | |
| CWE-733 | cwe | http://cwe.mitre.org/data/definitions/733.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley |
Explore
-
Identify target application: The adversary, with knowledge of vulnerable libraries or shared code modules, identifies a target application or program that makes use of these.
Experiment
-
Find injection vector: The adversary attempts to use the API, and if they can they send a large amount of data to see if the buffer overflow attack really does work.
-
Craft overflow content: The adversary crafts the content to be injected based on their knowledge of the vulnerability and their desired outcome. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.
| Techniques |
|---|
| Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible. |
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: Using the API as the injection vector, the adversary injects the crafted overflow content into the buffer.
- The target host exposes an API to the user.
- One or more API functions exposed by the target host has a buffer overflow vulnerability.
Not present
| Low | High |
|---|---|
| An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS. | |
| Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. |
| Integrity | Availability | Confidentiality |
|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Unreliable Execution | Execute Unauthorized Commands (Run Arbitrary Code) |
| Modify Data | Execute Unauthorized Commands (Run Arbitrary Code) | Read Data |
- Attack Example: Libc in FreeBSD A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many programs at risk all at once.
- Xtlib A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges.