Stack Overflow Attack (And why you probably should pay attention to the warnings of the compiler)

While coding in C, have you come across a warning about the gets() function being depreciated and ignored it to continue using the function?Assume you had done that while writing code for a software that was ultimately deployed in a lot of systems. Then every system that runs the software is now vulnerable (defence mechanisms implemented now make it harder or impossible) . How that one simple warning lead to a vulnerable host is to be understood by looking at how buffer overflow works. Buffer Overflow is the intentional or unintentional overwriting of adjacent positions of a buffer. This article gives an idea about the why and what of exploiting a type of buffer overflow called stack overflow and the techniques used to thwart them. But first, let’s look at how the stack works.

Call Stack and allocation of variables in memory

Stack is a memory structure in which data in added in a Last-In-First-Out format. The stack contains everything from variables declared in memory to return address. Let’s look at this with an example. Consider the code:

int func1()

{

//code

}

int main()

{

int a; char c;

function

//code

}

When the program execution starts in the main function, the space required for the variables in the main function are assigned in the stack first. For eg. 4 bytes for a and 1 byte for c. Then when the main function calls the function func1() the return address for the main function is first pushed onto the stack followed by the space required for the parameters if any. This is followed by the space required for the local variables in func1(). _18027_figure351

After the execution of the func1() the stack is restored to its initial state. This is how the stack functions.

gets() function and the stack: How buffer overflow attack works

The reason why gets() becomes a problem is because gets() does not check the length of the input. That is if an array of size 12 is passed as a buffer to the gets() function, the memory in stack is assigned for a maximum of 12 characters. Let us assume that the input given is of length 14. What happens in this case is that the extra space for the 2 characters is taken from the space for the previous memory segment in the stack, basically the memory area overflows. Hence the name.

buffer Stack_Overflow_3

The first picture above shows the content of the stack before the input is supplied. The second image shows the content of the stack if the input that is supplied is “hello”. The stack also shows the space allocated for the return address. The image below shows the situation in which a hand-crafted input AAAAAAAAAAAAAAAAAAAA\x08\x35\xc0\x80 is supplied.

Stack_Overflow_4

Here the little endian form of the hexadecimal value encoded in the last part of the input is actually the memory location of a code in memory. Now once the function finishes execution, the return address (which has now been overwritten) causes the execution to go to code that was not initially in the execution flow of the program. This can be used to redirect the execution to a shell or so to cause security issues. This is a simple example of how the stack overflow attack works. Do note that the attack is not exclusively tied to the gets function. The gets function is only used here to provide a visual  example. Any method that results in the overwriting of adjacent positions in the stack is known as stack overflow.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s