Buffer Overruns

Almost every major Internet application daemon, including the sendmail daemon, the finger daemon, the talk daemon, and others, has at one point been compromised through a buffer overrun.

If you are writing

any code that will ever be run as root,
a program that performs any kind of interprocess communication,
a program that reads files.

you should be aware of this kind of security hole.

The idea behind a buffer overrun attack is to trick a program into executing code that it did not intend to execute.

The usual mechanism for achieving this feat is to overwrite some portion of the program's process stack.

The program's stack contains, among other things, the memory location to which the program will transfer control when the current function returns.
Therefore, if you can put the code that you want to have executed into memory somewhere and then change the return address to point to that piece of memory, you can cause the program to execute anything.
When the program returns from the function it is executing, it will jump to the new code and execute whatever is there, running with the privileges of the current process.

If the program is running as a daemon and listening for incoming network connections, the situation is even worse. A daemon typically runs as root.

A program that does not engage in network communications is much safer because only users who are already able to log in to the computer running the program are able to attack it.

The buggy versions of finger, talk, and sendmail all shared a common flaw. Each used a fixed-length string buffer, which implied a constant upper limit on the size of the string but then allowed network clients to provide strings that overflowed the buffer.

For example, they contained code similar to this:

 #include <stdio.h>
int main ()
{
/* Nobody in their right mind would have more than 32 
characters in their username. Plus, I think UNIX allows 
only 8-character usernames. So, this should be plenty 
of space. */
char username[32];
/* Prompt the user for the username. */
printf ("Enter your username: ");
/* Read a line of input. */
gets (username);
/* Do other things here... */
return 0;
}

The combination of the 32-character buffer with the gets function permits a buffer overrun.

The gets function reads user input up until the next newline character and stores the entire result in the username buffer.

The attacker might deliberately type in a very long username.
Local variables such as username are stored on the stack, so by exceeding the array bounds, it's possible to put arbitrary bytes onto the stack beyond the area reserved for the username variable.
The username will overrun the buffer and overwrite parts of the surrounding stack, allowing the kind of attack described previously.

Fortunately, it's relatively easy to prevent buffer overruns. When reading strings, you should always use a function, such as getline, that either dynamically allocates a sufficiently large buffer or stops reading input if the buffer is full. For example, you could use this:

char* username = getline (NULL, 0, stdin);

This call automatically uses malloc to allocate a buffer big enough to hold the line and returns it to you. You have to remember to call free to deallocate the buffer, of course, to avoid leaking memory.

Of course, buffer overruns can occur with any statically sized array, not just with strings.

If you want to write secure code, you should never write into a data structure, on the stack or elsewhere, without verifying that you're not going to write beyond its region of memory.

In the simplest case, a buffer overflow allows the user supplying input to one untrusted variable to overwrite another variable, which is assumed to be safe from untrusted input. Imagine the trivial http://siber.cankaya.edu.tr/SystemsProgramming/cfiles/bufferoverflow.c program in Fig. 11.4 running with stdin/stdout connected to an outside source through some means.

**Figure 11.4:** A Simple Buffer Overflow Program and Its Execution.
$\begin{figure}\begin{center} \small \begin{verbatim} ...$

then execute like

./bufferoverflow
Please enter your name: 12345678whoami
Hello, 12345678whoami, the current date and time is: ozdogan

It turns out that "command" is stored in memory right above "name".
Local variables in most implementations of C and many other languages are stored next to each other on the stack. Of course, crackers trying to repeat this feat with other programs often found the variables they were overwriting were too mundane to be of much use.
They could only usefully overwrite those variables declared in the same function before the variable in question.
True, the variables for the function that called this function were just a little further along on the stack, as well as the function which called it, and the function before it; but before you overwrote those variables you would overwrite the return address in between and the program would never make it back to those functions.
You see, the return address is a very important value. By overwriting its value, you can transfer control of the program to any existing section of code.
Of course, you still need an existing section of code that will suit your evil purposes and you need to know exactly where it is located in memory on the target system.
Dissatisfied with being limited to the existing code? Well, why not supply your own binary executable code in the string itself?

If you must execute a program with any untrusted user input as arguments, use one of the exec() family of calls instead of system().

For vulnerable standard library functions and alternatives see Table 11.1

**Table 11.1:** Vulnerable Standard Library Functions and Alternatives
Bad Syntax	Better Syntax	Notes
gets()	fgets()	Different handling of newlines may leave unread characters in stream
sprintf()	snprintf()	Not available on many other OSes
vsprintf()	vsnprintf()	Not available on many other OSes
strcpy()	strncpy()	Omits trailing null if there is an overflow
strcat()	strncat()	Omits trailing null if there is an overflow
stpcpy()	stpncpy()	Copies exactly the specified size of characters into the target

Race Conditions in /tmp

Up:

More Security Holes

Cem Ozdogan 2007-05-16