The anatomy of a Buffer Overflow

  08/10/2001 6:35:33 AM MDT Albuquerque, Nm
  By Dustin D. Brand; Owner AMO


So just what is a buffer overflow, and how is it exploited to run code?
  Buffer Overflows are common in todays programming. Generally, these are associated with the actual compiled code used to run programs in which certain buffers of text can be overflowed with compiled text code.

  Marking the 20th anniversary of the PC, I thought I'd delve into explaining this "Buffer Overflow" problem in both technical and not so technical terms. First of all, Code Red, the worm now in it's third revision has been infecting Web Servers in the masses due to a known Buffer Overflow in Windows Web Server Software.

  Most buffer overflow vulnerabilities are patched, or fixed before they are used to wreak havok, however not every server administrator out there "patches" these holes in time. This time allotance, and the fact that not everyone will patch the hole, is more than enough time and motivation for a hacker or mischevious individual or group of individuals to write a program to take advantage of the security hole.

  How the Buffer Overflow happens:
  Quite simply, lets say the program has a text entry box in which you type in text. This text entry box expects no more than 256 characters, instead it is fed more. At the point in which it is fed more than 256 characters, if the program has a buffer overflow flaw, it will pop up with an exception. In this exception is the detail of where in the computers memory the buffer overflow occured.

  How the Buffer Overflow can be used:
  Armed with the Buffer Overflow memory address, and with additional tools, you can take a closer look at this memory address by means of a memory dump. Keep in mind that the program is still waiting to get past this Buffer Overflow, and has not crashed but simply performed an illegal operation. Now, by mapping all of the functions the program is using, and by pinpointing the memory address of the buffer overflow, one can execute code at the point of this buffer overflow quite simply.

  What's involved at this step is simply redirecting this point of code - the buffer overflow - to another point of code which immediately follows the buffer overflow. This text, which ordinarily would be simple text from the text entry box, is compiled source code designed to run another program. The simple text/program code could be as simple as a message box that pops up and says "Buffer Overflow - Hello, this is my program.", or very complex. Complex would be as a polymorphic worm which spreads to other machines by means of a network, morphing as it moves along in order not to be detected and hard to stop.

  The Buffer Overflow which was detected by a security firm, and then fixed by Microsoft on June 18th, was then used to build Code Red which since July 19th has infected nearly 500,000 web servers who did not apply the patch. So, it took nearly 1 month before Code Red was launched which demostrates that the worm was built once the Buffer Overflow vulnerability was made public.

  Now, that my readers is the anatomy of a Buffer Overflow.