What Is Buffer Overflow?
In information security and programming, a buffer overflow, also known as a buffer overrun, is a software coding vulnerability or error that cybercriminals can abuse to obtain unauthorized access to a company’s system.
The software error focuses on buffers, which are areas of memory that temporarily store data, typically as it is moved from one section of a program to another, or between programs. A buffer overflow happens when the amount of data in the buffer surpasses its storage space.
Because buffers are designed to hold a limited amount of information, any additional data that needs to go somewhere can overflow into adjoining buffers, corrupting or overwriting the valid data held in them. As a result, the program may exhibit erratic behavior, such as memory access errors, inaccurate results, and crashes.
These data buffers are typically located in RAM. Buffering is widely used by computers to improve performance and by most modern hard drives and online services to speed up data access. As previously stated, buffer overflows can be exploited by malicious actors to corrupt software. Despite being well understood, buffer overflow attacks remain a significant security issue that worries cybersecurity experts.
What Is a Buffer Overflow Attack?
A buffer overflow attack occurs when a hacker exploits the coding error to perform a malicious activity and compromise the impacted system. The cybercriminal modifies the execution path of the app and overwrites elements of its memory, causing existing files to be damaged or confidential information to be exposed.
Usually, a buffer overflow attack involves breaking programming languages and overwriting the bounds of the buffers they live on. The majority of buffer overflows happen due to a combination of memory manipulation and erroneous data composition or size presumptions.
A buffer overflow vulnerability happens when the code is dependent on external data to control its behavior or relies on data attributes that are imposed beyond its immediate scope.
It can also occur when the code is so complicated that software developers can’t accurately predict its behavior.
How Do Hackers Exploit Buffer Overflow Issues?
The methods for exploiting buffer overflow vulnerabilities differ depending on the operating system (OS), architecture, and memory region. However, the additional data they send to a program will almost certainly include malicious code that allows the intruder to prompt new actions and send new commands to the compromised application.
Injecting extra code into a program, for example, could send it new instructions that grant the threat actors access to the company’s IT systems.
If a malicious actor is familiar with the memory layout of a program, they may be able to deliberately enter information that can’t be held by the buffer. This will enable them to overwrite memory locations containing executable code and replace it with malicious code, allowing the attackers to take control of the program.
Buffer overflow is used by threat actors in order to:
- alter an execution stack of a web app
- perform arbitrary code,
- assume control of a device.
Buffer overflow incidents can result in:
- System collapse;
- Loss of access control;
- Additional security concerns.
Different Types of Buffer Overflow Attacks
The most common types of buffer overflow attacks used by malicious actors to compromise corporate systems are:
Stack-based buffer overflow attacks
This is the most common type of buffer overflow attack. A stack-based buffer overflow occurs when a program writes more data to a stack-based buffer than is actually allocated for that buffer. This almost always causes adjacent data on the stack to be altered.
Heap-based buffer overflow attacks
A heap overflow is a buffer overflow that takes place in the heap data area and can be exploited in a different way than stack-based overflows. A heap-based attack is more difficult to carry out than a stack-based one. It entails flooding a program’s memory space with data that isn’t needed for current runtime processes.
Programming Languages Vulnerable to Buffer Overflow
The buffer overflow issue is one of the oldest and most widespread problems in software development, dating back to the introduction of computer communication, and it affects almost all applications, web servers, and web app environments.
C and C++ are two languages that are highly vulnerable to buffer overflow attacks because they lack built-in protection against overwriting or accessing data in their memory. Mac OSX, Windows, and Linux operating systems all use code written in C and C++.
More sophisticated high-level programming languages, such as Java, Python, and C#, include built-in features that help lessen the likelihood of buffer overflow but do not completely eliminate it.
Buffer Overflow Attacks Examples
The Morris worm
The Morris worm of 1988 was one of the first computer worms to be spread via the internet, as well as the first to gain significant mainstream media exposure. In two days, it infected 10% of the internet by abusing a buffer overflow vulnerability in the Unix sendmail, finger, and rsh/rexec programs. Between 1988 and 1990, the Morris worm affected over 60,000 devices. Dubbed the “Great Worm” or the “Grand Daddy” because of the devastating impact it had on the internet at the time, the Morris worm affected over 60,000 devices.
Adobe Flash Player
In 2016, a buffer overflow vulnerability was discovered in Adobe Flash Player for Windows, macOS, Linux, and Chrome OS. The vulnerability was due to an Adobe Flash Player error while analyzing a specifically designed SWF (Shockwave Flash) file. By alluring users to open SWF files or Office documents with embedded malicious Flash Player content distributed via email, attackers were able to elude security restrictions, execute arbitrary code, and collect personal data. Adobe immediately issued security updates to fix the problem.
In 2019, Facebook revealed that all of its WhatsApp products were vulnerable to a security flaw. The vulnerability took advantage of a buffer overflow weakness in WhatsApp’s VOIP stack on smartphones. An exploit of the vulnerability was used to infect over 1,400 devices with malware simply by contacting the target phone using Whatsapp voice, even if the call was not answered. Facebook responded by releasing security updates that addressed the buffer overflow flaws.
How to Stay Protected?
Developers can protect themselves from buffer overflow vulnerabilities by including security features in their code or avoiding programming languages that don’t offer built-in protection. The latter is the most straightforward method to prevent buffer overflow vulnerabilities.
Also, more advanced operating systems now have runtime protection that enables extra protection against buffer overflows. Three common protections are:
Address space layout randomization (ASLR): Buffer overflow attacks usually necessitate knowing where executable code is located. To randomize address spaces, ASLR moves around data regions at random, making overflow attacks nearly impossible.
Data execution prevention: This method marks specific regions of memory as executable or non-executable, preventing an attack from running code in a non-executable region.
Structured exception handling overwrite protection (SEHOP): Malicious actors may attempt to overwrite structured exception handling (SEH), a built-in system to manage hardware and software exceptions. They accomplish this via a stack-based overflow attack to overwrite the exception registration record, which is kept on the program’s stack. SEHOP prevents a malicious actor from being able to exploit the SEH overwrite exploitation technique.
Buffer overflow vulnerabilities can be difficult to detect, especially in large and complicated software. The use of secure coding practices is not enough. When a buffer overflow vulnerability is discovered, a company must act immediately to patch the compromised software and ensure that its users have access to the patch.
Heimdal® Patch & Asset Management Software
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...
How Can Heimdal Help?
With Heimdal’s Patch & Asset Management module, you can view and manage your software inventory and, at the same time, achieve preemptive vulnerability management. Make sure that your organization has a rapid deployment (shortest vendor to end-user waiting time <4 hours) of security-critical patches and updates, for essential resilience against cyber threats.
With an intuitive, clean interface and comprehensive reports, you continuously have an overview of essential software, its security status, and all the tools necessary to prove compliance.