5.4 Heap Overflows

Because of increased publicity, as well as the prevention techniques mentioned in the next section, buffer overflows are becoming less frequent in well-designed code. Consequently, we can expect to see heap overflow exploits becoming more common.

The heap refers to memory that is dynamically allocated by an application for variable storage. In a heap overflow , the hacker attempts to overwrite variables such as passwords, filenames, and UIDs in the heap.

What is the difference between a buffer overflow and a heap overflow? In a buffer overflow, we are attempting to execute machine-level commands by overwriting the return address on the stack. In contrast, a heap overflow attempts to increase the level of system privilege by overwriting dynamically stored application variables. Heap overflow exploits include format bugs and malloc() / free( ) overwrites.

Researchers have also come to recognize a related class of overflows known as format bugs . The vulnerability caused by format bugs is that in C, a %n format token exists for printf format strings that commands printf to write back the number of bytes formatted so far to the corresponding argument to printf, presuming that the corresponding argument exists and is of type int * . This can be exploited if a program permits unfiltered user input to be passed directly as the first argument to printf. The varargs mechanism of C++ allows functions (e.g., printf) to accept a variable number of arguments by "popping" as many arguments off the call stack as they wish, trusting the early arguments to indicate how many additional arguments (and of what type) are to be popped. The fix to this problem is to use printf("%s", buf) instead of printf(buf) .