Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
Description
Attack Execution Flow
4
1
Step 1
Explore[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.
AI Translation
[Identifica applicazione target] L'avversario individua un'applicazione o un programma target su cui eseguire il buffer overflow. Gli avversari cercano spesso applicazioni che accettano input dall'utente e che gestiscono manualmente la memoria.
2
Step 2
Experiment[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.
AI Translation
[Trova vettore di injection] L'attaccante identifica un vettore di injection per consegnare il contenuto eccessivo nel buffer dell'applicazione target.
Fornisci un input di grandi dimensioni a un programma o applicazione e osserva il comportamento. Se si verifica un crash, ciò significa che è possibile un attacco di buffer overflow.
Attack Techniques
-
Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.
3
Step 3
Experiment[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily 'slide' into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
AI Translation
[Contenuto di overflow artificiale] L'adversary crea il contenuto da iniettare. Se l'intento è semplicemente causare il crash del software, il contenuto deve consistere solo in una quantità eccessiva di dati casuali. Se l'intento è sfruttare l'overflow per l'esecuzione di codice arbitrario, l'adversary crea il payload in modo che l'indirizzo di ritorno sovrascritto venga sostituito con uno scelto dall'adversary.
Creare shellcode malevolo che verrà eseguito quando l'esecuzione del programma viene restituita a esso.
Utilizzare un NOP-sled nel contenuto di overflow per facilitare il "rimbalzo" nel codice malevolo. Questo viene fatto in modo che l'indirizzo di ritorno esatto non debba essere corretto, ma solo essere nel range di tutti i NOPs.
Attack Techniques
-
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
-
Create malicious shellcode that will execute when the program execution is returned to it.IT: Utilizzare una NOP-sled nel contenuto dell'overflow per facilitare il "scivolamento" nel codice malevolo. Questo viene fatto in modo che l'indirizzo di ritorno esatto non sia necessario, basta che rientri nell'intervallo di tutte le NOPs.
4
Step 4
Exploit[Overflow the buffer] Using the injection vector, the adversary injects the crafted overflow content into the buffer.
AI Translation
[Overflow del buffer] Utilizzando il vettore di injection, l'attore malevolo inserisce il contenuto di overflow appositamente creato nel buffer.
Mitigations
6
Compiler-Based Canary Mechanisms Such As Stackguard, Propolice And The Microsoft Visual Studio /Gs Flag. Unless This Provides Automatic Bounds Checking, It Is Not A Complete Solution.
If You Have To Use Dangerous Functions, Make Sure That You Do Boundary Checking.
Use Os-Level Preventative Functionality. Not A Complete Solution.
Use A Language Or Compiler That Performs Automatic Bounds Checking.
Use Secure Functions Not Vulnerable To Buffer Overflow.
Utilize Static Source Code Analysis Tools To Identify Potential Buffer Overflow Weaknesses In The Software.
Consequences
Security Scopes Affected
Access Control
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Gain Privileges
Unreliable Execution
Indicators
1
An attack designed to leverage a buffer overflow and redirect execution as per the adversary's bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the adversary would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist.
Relationships
Parent CAPECs
Child CAPECs
CAPEC-8
Buffer Overflow in an API Call
CAPEC-9
Buffer Overflow in Local Command-Line Utilities
CAPEC-10
Buffer Overflow via Environment Variables
CAPEC-14
Client-side Injection-induced Buffer Overflow
CAPEC-24
Filter Failure through Buffer Overflow
CAPEC-42
MIME Conversion
CAPEC-44
Overflow Binary Resource File
CAPEC-45
Buffer Overflow via Symbolic Links
CAPEC-46
Overflow Variables and Tags
CAPEC-47
Buffer Overflow via Parameter Expansion
CAPEC-67
String Format Overflow in syslog()
CAPEC-256
SOAP Array Overflow
Resources Required
1
None: No specialized resources are required to execute this type of attack. Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system.