Buffer overflow attack that allows access to a remote system

teancum144

I came across a question worded similarly to the following:

Which BEST describes a Buffer Overflow attack that allows access to a remote system?

a) The attacker attempts to have the receiving server run a payload using programming commonly found on web servers
b) The attacker overwhelms a system or application, causing a crash and bringing the server down to cause an outage
c) The attacker attempts to have the receiving server pass information to a back-end database from which it can compromise the stored information
d) The attacker overwhelms a system or application, causing it to crash, and then redirects the memory address to read from a location holding the payload

The official answer is "d" , but I'd like to understand this attack better. How is the redirection of the memory address accomplished? Can a buffer overflow attack simultaneously cause DoS and write code that redirects the memory address to read from a location holding the payload? Am I understanding this correctly?

lsud00d

A type of buffer overflow is a NOP slide. It's essentially a series of instructions ('no operations' in assembly, aka 0X90) that "slides" the CPU execution to a specific address space in memory where the exploit code exists.

Here's a visual (which won't display here for some reason)--

http://2.bp.blogspot.com/-VuK5LaCFS9k/UBFDm439krI/AAAAAAAAAF0/-8Yz8ILFXfI/s400/NOPsled.png

NOP slides are a way to brute force ASLR.

ratbuddy

A classic paper on the subject can be found here: Smashing the Stack for Fun and Profit by Aleph One

It's not 100% applicable and somewhat out of date, but provides a great foundation on buffer overflows.

edit: Poked around a little, here's a bit of more recent work: http://www.phrack.org/issues.html?issue=67&id=13

teancum144

lsud00d wrote: »

A type of buffer overflow is a NOP slide. It's essentially a series of instructions ('no operations' in assembly, aka 0X90) that "slides" the CPU execution to a specific address space in memory where the exploit code exists.

Here's a visual (which won't display here for some reason)--

http://2.bp.blogspot.com/-VuK5LaCFS9k/UBFDm439krI/AAAAAAAAAF0/-8Yz8ILFXfI/s400/NOPsled.png

NOP slides are a way to brute force ASLR.

Thanks for the explanation and visual. I am familiar with the concept of a NOP slide. I'm wasn't familiar with the idea that a NOP/NOOP slide can be used to first cause an application to crash and then redirect a memory address to read from a location holding a payload. ...

Oh, I see, the no-operation commands in the slide are redirecting the application from one memory address to another (down the slide) until it gets to the payload at the end. But how can the application read sequential memory locations if it has crashed?

ratbuddy

It hasn't really crashed, just been corrupted or sort of run off the rails. The question isn't really worded great. It is beneficial for programs to crash as soon as a buffer overflow happens, that would in theory prevent the exploit code from running.

teancum144

ratbuddy wrote: »

A classic paper on the subject can be found here: Smashing the Stack for Fun and Profit by Aleph One

It's not 100% applicable and somewhat out of date, but provides a great foundation on buffer overflows.

edit: Poked around a little, here's a bit of more recent work: .:: Phrack Magazine ::.

I started reading both articles, but they were pretty technical and over my head. Thanks though, because I did learn a few things.

teancum144

This question was adapted from a CompTIA Security+ practice question. It is frustrating that they don't provide detailed explanations for their answers. My primary purpose for studying for this exam is to learn the underlying technical concepts.

Although I understand buffer overflows and NOP sleds generally, and would now likely be able to answer this question correctly on an exam; I'm not fully satisfied with my understanding of the answer to this question as worded. Perhaps it is a poorly worded question, but such shouldn't come from CompTIA, IMO.

For most questions, I prefer to be able to recognize correct answers. For poorly worded questions or for questions I don't fully understand, an alternate strategy is to eliminate the other answers:

a) The attacker attempts to have the receiving server run a payload using programming commonly found on web servers
I'm not exactly sure why this is incorrect, but it may be a less complete answer than "d". Also, why does "... redirects the memory address to read from a location holding the payload..." "...allow access to a remote system", while "run[ing] a payload using programming commonly found on web servers" does not?

b) The attacker overwhelms a system or application, causing a crash and bringing the server down to cause an outage
Not correct because this appears to be a DoS-only attack and not privilege escalation.

c) The attacker attempts to have the receiving server pass information to a back-end database from which it can compromise the stored information.
Not correct because this appears to be a data-corruption attack and not privilege escalation.

Thoughts?

lsud00d

IMHO there are poorly worded questions on every exam that I just kinda shake my head at. Your methodology is good as far as reasoning through the possible answers. In general with multiple choice exams you can eliminate one or multiple options just by looking at them.

TechGuru80

You could also use process of elimination if you are really lost. A and C more or less are injections, B is a DoS due to not being accessible. That only leaves D.

paul78

I actually thought that the question was very clear and concise.


a) That is actually a command injection attack. The attacker is essentially using an input flaw to cause the application to execute the payload because of an input parsing vulnerability.

b) That's a description of denial of service. For example, causing too many requests to an application.

c) That would be a SQL injection attack. Basically, taking advantage of a input parsing vulnerability in an application

d) The key aspect is that you are over-flowing a buffer on an input field which causes the application stack to redirect execution to code embeded in the attack payload.

ipchain

I will try to quickly chime in on this one...

Which BEST describes a Buffer Overflow attack that allows access to a remote system? -> Keywords here are: Buffer Overflow Attack & Allows Access to Remote System

a) The attacker attempts to have the receiving server run a payload using programming commonly found on web servers (This sounds like OS Command Injection - You are attempting to have the web server execute the payload for you, nothing to do with BoF)
b) The attacker overwhelms a system or application, causing a crash and bringing the server down to cause an outage (This is a good start, but it results in a DOS condition and the key is access to a remote system...)
c) The attacker attempts to have the receiving server pass information to a back-end database from which it can compromise the stored information (Sounds like a SQL Injection)
d) The attacker overwhelms a system or application, causing it to crash, and then redirects the memory address to read from a location holding the payload (Very poorly written, but this one is by far the best answer out of the four.)

Let us know if you have additional questions.

teancum144

ratbuddy wrote: »

It hasn't really crashed, just been corrupted or sort of run off the rails. The question isn't really worded great. It is beneficial for programs to crash as soon as a buffer overflow happens, that would in theory prevent the exploit code from running.

Thanks! Your comment really sunk in after reading about the raptor_passwd buffer overflow attack at the following link:

• http://www.sans.org/reading-room/whitepapers/solaris/local-privilege-escalation-solaris-8-solaris-9-buffer-overflow-passwd1-1600?show=local-privilege-escalation-solaris-8-solaris-9-buffer-overflow-passwd1-1600&cat=solaris

I found the raptor-passwd example easier to comprehend than the examples you cited (especially the visuals on pages 10 - 12). But thanks anyway! My technical depth is a work-in-process and you definitely pointed me in the right direction.

lsud00d wrote: »

A type of buffer overflow is a NOP slide.

Interestingly, the raptor_passwd buffer overflow attack doesn't appear to use a NOP slide. However, the following (under "Tips and tricks") provides an excellent example of how a NOP slide improves the chances of overwriting the return address in a memory stack:

• Buffer Overflows and You

paul78 wrote: »

... d) The key aspect is that you are over-flowing a buffer on an input field which causes the application stack to redirect execution to code embeded in the attack payload.

Having read the examples above, I have a better understadning of this question and your statement. However, the words "application stack" were confusing to me at first. Could your statement be written more clearly as follows?

The key aspect is that you are over-flowing a buffer on an input field which causes the application's memory stack to redirect execution to code embeded in the attack payload.

All, thanks for the helpful posts. My understanding of this area is much improved.

paul78

Good point. Yes - by "stack" - I am referring to RAM that is allocated by the OS for the application's stack. Although in retrospect, there is no evidence in the answer that it would be the stack that is being overflowed.

An application's memory usage can be described as either on the "stack" or allocated on the "heap".

For example:

myfunction(int a) {
}

myfunction() {
int * b = malloc(10);
}

In the case of variable a - the 4 bytes of memory is allocated on the stack. But for variable b - the 10 bytes of memory is allocated on the heap. The best way that I can think of to describe the heap is that it's memory that is explicitly allocated by the application programmer. BTW - there is an old but great explanation of stack overflows which was first published in Phrack - a copy can be found here - http://insecure.org/stf/smashstack.html

JDMurray

Does the current release of the Security+ exam really expect the exam candidate to be that knowledge about the internals of buffer overflows? If so, the Security+ isn't an "entry-level" exam anymore. I wouldn't expect to see that level of detail on the SSCP exam.

Darril

@JDMurray, you are on track with your thoughts. Neither the Security+ nor the SSCP exams go too far in depth with buffer overflows. They do expect you to know (as lsud00d mentioned) that a type of buffer overflow is a NOP or NOOP slide and that a NOP slide is a series of no operations.

I applaud teancum144's efforts to dig into the details so that he truly understand topics. That depth isn't required to pass the Security+ or SSCP exams but as he drills into these details, I can see that he is building a very solid foundation in many of the IT security related topics.