A poorly written application can be a useful vector for an attacker. In this video, you’ll learn how buffer overflows can be used to gain access to a remote system.
A buffer overflow attack is one, where an attacker can write more than what is expected into a particular area of memory. And that additional information that they’re writing overflows into another area of memory. Normally, the application developer is performing bounds checking. So they’re checking to see that anyone writing into that section of memory is only writing 8 bytes of information and not any additional information.
The attackers go through every part of an application, trying to perform buffer overflows and see if they can modify the way that this application is designed to work. However, this is not a simple vulnerability to be able to exploit. Even if you find a buffer overflow, you may find that adding additional information to memory can be unexpected and might cause the entire system or application to crash. Or they may be able to use just the right type of buffer overflow into the right area of memory, with just the right information to be able to have the application perform a particular function that is advantageous to the attacker.
What the attacker is really looking for is a buffer overflow that is always repeatable. And it always is providing the attacker with a particular function that provides them with an advantage. Here’s a buffer overflow example, where the attacker can take advantage of this issue to be able to create elevated rights and permissions for the attacker. This is a case where we have two different variables in memory, variable A and variable B.
And you can see that variable A has nothing currently written to it. It is all 0s. And it has eight different bytes that you could store as variable A. Variable B has already been written to memory. It is 2 bytes long, and you can see the decimal value of variable B is currently 1979.
For this particular application, variable B contains information on how this application should provide rights and permissions. And if this value is below 2000, you have effectively user rights or guest rights for this application. But the attacker would like to have administrative rights. But for administrative rights, the value of variable B must be anything over 24,000.
Normally, variable B is not something that could be changed from inside the application. But this attacker has found a vulnerability with variable A that allows us to perform a buffer overflow. The attacker knows that they can use 9 bytes into variable A. And That will fill up the 8 bytes of what normally would be variable A. And it will overflow that last byte into variable B.
In this example, the attacker has chosen to store the word “excessive” into variable A. But excessive has nine characters. The first eight characters are stored as part of variable A. And the ninth letter E, which is also the same as hex value 65, is stored as the first byte of variable B as it overflows into that particular variable.
You can see that this buffer flow has now changed the value of variable B. And now, its value is 25,856. And as we’ve already said, any value of over 24,000 in variable B provides that user with the rights and permissions of an administrator. This attacker was effectively able to use a buffer overflow to provide elevated rights and permissions for this application without having any type of credentials as an administrator.