Classifying Overflow Errors (Terrible Boredom)

According to the New Hacker's Dictionary by Eric Raymond, overflow errors are "errors that inevitably occur when you attempt to load the buffer with more data that it can actually store." This is only a particular case of sequential overflow in a case of writing. In addition, there exists index overflow, which consists of access to an arbitrary cell located beyond the limits of the buffer. The term access in this case means both read and write operations.

Overflow during a write operation results in one or more variables being overwritten. Consequently, one or more variables are corrupted (including auxiliary variables inserted by a compiler, such as return addresses or this pointers). Naturally, this interrupts normal execution of a vulnerable program, causing one of the following events to occur:

  • There are no consequences.

  • The program outputs incorrect data ” in other words, makes a medley of the input numbers .

  • The program crashes, freezes , or terminates abnormally, displaying an error message.

  • The program behaves illogically and unpredictably, carrying out unexpected actions.

Overflow in the course of a read operation is less dangerous, because it only results in the possibility of accessing confidential information (such as passwords or identifiers of a TCP/IP connection).

Listing 4.1: Sequential buffer overflow in the course of a write operation
image from book
 seq_write(char *p) {         char buff[8];         ...         strcpy(buff, p); } 
image from book
 
Listing 4.2: Index overflow in the course of a read operation
image from book
 idx_write(int i) {         char buff[] = "0123456789";         ...         return buff[i]; } 
image from book
 

The end of a buffer, as a rule, is followed of data of the following types: other buffers, scalar variables and pointers, or blank space (such as unallocated memory pages). In theory, the end of a buffer might be followed by executable code; however, in practice this situation is never encountered .

The most dangerous threat for system security is pointers, because they allow the attacker to write into arbitrary memory cells or pass control using arbitrary addresses ” for example, to the beginning of the buffer subject to overflow, where machine code specially prepared by the intruder is located. As a rule, this code is called shellcode.

Buffers that directly follow the buffer subject to overflow can store some confidential information (such as passwords). Disclosing someone else's passwords and forcing the vulnerable program to accept the intruder's password is typical behavior of the intruders.

Scalar variables might store indexes (in which case they are equivalent to pointers), flags determining the program's operating logic (including debug flags left by the developer), and other information.

Depending on their location, buffers can be classified into the following three categories:

  • Local buffers located in the stack and often called automatic variables

  • Static buffers located in the data segment

  • Dynamic buffers located in the heap

Each category has specific features of overflow, which will be covered in detail later in this chapter. Before proceeding to specific features, it is necessary to consider general issues.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net