Stack buffer overflow - Revision history

Nekohaxx: /* Jop chain */

2025-03-07T05:08:45Z

Jop chain

← Previous revision		Revision as of 05:08, 7 March 2025
Line 127:		Line 127:

	===== Jop chain =====		===== Jop chain =====
	Jump Oriented Programming is a technique that uses jump instructions to reuse code instead of ret instruction.<ref>{{Cite book \|url=https://www.dunod.com/sciences-techniques/securite-materielle-systemes-vulnerabilite-processeurs-et-techniques-d \|title=Sécurité matérielle des systèmes \|date=2022-09-03 \|language=fr}}</ref>		Jump Oriented Programming is a technique that uses jump instructions to reuse code instead of the ret instruction.<ref>{{Cite book \|url=https://www.dunod.com/sciences-techniques/securite-materielle-systemes-vulnerabilite-processeurs-et-techniques-d \|title=Sécurité matérielle des systèmes \|date=2022-09-03 \|language=fr}}</ref>

	==== Randomization bypass ====		==== Randomization bypass ====

AnomieBOT: Dating maintenance tags: {{Dead link}}

2025-01-28T13:14:21Z

Dating maintenance tags: {{Dead link}}

← Previous revision		Revision as of 13:14, 28 January 2025
Line 134:		Line 134:
	==Notable examples==		==Notable examples==
	* The [[Morris worm]] in 1988 spread in part by exploiting a stack buffer overflow in the [[Unix]] [[finger protocol\|finger]] server.<ref>{{cite web\|url=http://www.ee.ryerson.ca/~elf/hack/iworm.html\|title=A report on the internet worm\|date=7 Nov 1988}}</ref>		* The [[Morris worm]] in 1988 spread in part by exploiting a stack buffer overflow in the [[Unix]] [[finger protocol\|finger]] server.<ref>{{cite web\|url=http://www.ee.ryerson.ca/~elf/hack/iworm.html\|title=A report on the internet worm\|date=7 Nov 1988}}</ref>
	* The [[SQL Slammer\|Slammer worm]] in 2003 spread by exploiting a stack buffer overflow in [[Microsoft]]'s SQL server.<ref>[https://www.wired.com/wired/archive/11.07/slammer.html]{{Dead link}}</ref>		* The [[SQL Slammer\|Slammer worm]] in 2003 spread by exploiting a stack buffer overflow in [[Microsoft]]'s SQL server.<ref>[https://www.wired.com/wired/archive/11.07/slammer.html]{{Dead link\|date=January 2025}}</ref>
	* The [[Blaster worm]] in 2003 spread by exploiting a stack buffer overflow in Microsoft [[Distributed Component Object Model\|DCOM]] service.		* The [[Blaster worm]] in 2003 spread by exploiting a stack buffer overflow in Microsoft [[Distributed Component Object Model\|DCOM]] service.
	* The [[Witty worm]] in 2004 spread by exploiting a stack buffer overflow in the [[Internet Security Systems]] BlackICE Desktop Agent.<ref>[https://web.archive.org/web/20070814051604/http://www.icsi.berkeley.edu/~nweaver/login_witty.txt]</ref>		* The [[Witty worm]] in 2004 spread by exploiting a stack buffer overflow in the [[Internet Security Systems]] BlackICE Desktop Agent.<ref>[https://web.archive.org/web/20070814051604/http://www.icsi.berkeley.edu/~nweaver/login_witty.txt]</ref>

APenguinThatIsSilly: /* Notable examples */ Tried to repair bare links

2025-01-28T11:13:51Z

Notable examples: Tried to repair bare links

← Previous revision		Revision as of 11:13, 28 January 2025
Line 133:		Line 133:

	==Notable examples==		==Notable examples==
	* The [[Morris worm]] in 1988 spread in part by exploiting a stack buffer overflow in the [[Unix]] [[finger protocol\|finger]] server.[http://www.ee.ryerson.ca/~elf/hack/iworm.html]		* The [[Morris worm]] in 1988 spread in part by exploiting a stack buffer overflow in the [[Unix]] [[finger protocol\|finger]] server.<ref>{{cite web\|url=http://www.ee.ryerson.ca/~elf/hack/iworm.html\|title=A report on the internet worm\|date=7 Nov 1988}}</ref>
	* The [[SQL Slammer\|Slammer worm]] in 2003 spread by exploiting a stack buffer overflow in [[Microsoft]]'s SQL server.[https://www.wired.com/wired/archive/11.07/slammer.html]		* The [[SQL Slammer\|Slammer worm]] in 2003 spread by exploiting a stack buffer overflow in [[Microsoft]]'s SQL server.<ref>[https://www.wired.com/wired/archive/11.07/slammer.html]{{Dead link}}</ref>
	* The [[Blaster worm]] in 2003 spread by exploiting a stack buffer overflow in Microsoft [[Distributed Component Object Model\|DCOM]] service.		* The [[Blaster worm]] in 2003 spread by exploiting a stack buffer overflow in Microsoft [[Distributed Component Object Model\|DCOM]] service.
	* The [[Witty worm]] in 2004 spread by exploiting a stack buffer overflow in the [[Internet Security Systems]] BlackICE Desktop Agent.[https://web.archive.org/web/20070814051604/http://www.icsi.berkeley.edu/~nweaver/login_witty.txt]		* The [[Witty worm]] in 2004 spread by exploiting a stack buffer overflow in the [[Internet Security Systems]] BlackICE Desktop Agent.<ref>[https://web.archive.org/web/20070814051604/http://www.icsi.berkeley.edu/~nweaver/login_witty.txt]</ref>
	* There are a couple of examples of the [[Wii]] allowing arbitrary code to be run on an unmodified system. The "Twilight hack" which involves giving a lengthy name to the main character's horse in ''[[The Legend of Zelda: Twilight Princess]]'',<ref>{{Cite web\|url=http://wiibrew.org/wiki/Twilight_Hack\|title=Twilight Hack - WiiBrew\|website=wiibrew.org\|language=en\|access-date=2018-01-18}}</ref> and "Smash Stack" for ''[[Super Smash Bros. Brawl]]'' which involves using an SD card to load a specially prepared file into the in-game level editor. Though both can be used to execute any arbitrary code, the latter is often used to simply reload ''Brawl'' itself with [[Mod (video gaming)\|modifications]] applied.<ref>{{Cite web\|url=http://wiibrew.org/wiki/Smash_Stack\|title=Smash Stack - WiiBrew\|website=wiibrew.org\|language=en\|access-date=2018-01-18}}</ref>		* There are a couple of examples of the [[Wii]] allowing arbitrary code to be run on an unmodified system. The "Twilight hack" which involves giving a lengthy name to the main character's horse in ''[[The Legend of Zelda: Twilight Princess]]'',<ref>{{Cite web\|url=http://wiibrew.org/wiki/Twilight_Hack\|title=Twilight Hack - WiiBrew\|website=wiibrew.org\|language=en\|access-date=2018-01-18}}</ref> and "Smash Stack" for ''[[Super Smash Bros. Brawl]]'' which involves using an SD card to load a specially prepared file into the in-game level editor. Though both can be used to execute any arbitrary code, the latter is often used to simply reload ''Brawl'' itself with [[Mod (video gaming)\|modifications]] applied.<ref>{{Cite web\|url=http://wiibrew.org/wiki/Smash_Stack\|title=Smash Stack - WiiBrew\|website=wiibrew.org\|language=en\|access-date=2018-01-18}}</ref>

GreenC bot: Reformat 1 archive link. Wayback Medic 2.5 per Category:All articles with dead external links

2025-01-17T10:06:30Z

Reformat 1 archive link. Wayback Medic 2.5 per Category:All articles with dead external links

← Previous revision		Revision as of 10:06, 17 January 2025
Line 5:		Line 5:
	Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly. Stack buffer overflow is a type of the more general programming malfunction known as [[buffer overflow]] (or buffer overrun).<ref name="cert1"/> Overfilling a buffer on the stack is more likely to derail program execution than overfilling a buffer on the heap because the stack contains the return addresses for all active function calls.		Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly. Stack buffer overflow is a type of the more general programming malfunction known as [[buffer overflow]] (or buffer overrun).<ref name="cert1"/> Overfilling a buffer on the stack is more likely to derail program execution than overfilling a buffer on the heap because the stack contains the return addresses for all active function calls.

	A stack buffer overflow can be caused deliberately as part of an attack known as '''stack smashing'''. If the affected program is running with special privileges, or accepts data from untrusted network hosts (e.g. a [[webserver]]) then the bug is a potential [[security vulnerability]]. If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. This is one of the oldest and more reliable methods for [[hacker (computer security)\|attackers]] to gain unauthorized access to a computer.<ref name="aleph1">{{cite journal \|last=Levy \|first=Elias \|author-link=Elias Levy \|title=Smashing The Stack for Fun and Profit \|journal=[[Phrack]] \|volume=7 \|issue=49 \|pages=14 \|date=1996-11-08 \|url=http://www.phrack.org/issues/49/14.html#article}}</ref><ref name="microsoft1">{{Cite journal \| doi = 10.1109/MSP.2004.36\| title = Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns\| journal = IEEE Security and Privacy Magazine\| volume = 2\| issue = 4\| pages = 20–27\| date=July–August 2004 \| last1 = Pincus \| first1 = J.\| last2 = Baker \| first2 = B.\| s2cid = 6647392\| url = http://www.cs.berkeley.edu/~daw/teaching/cs261-f07/reading/beyondsmashing.pdf}}</ref><ref name="forest">{{cite web\|author=Burebista<!-- [email protected] --> \|title=Stack Overflows \|url=http://www.securityforest.com/downloads/educationtree/stack_overflows.pdf \|url-status=dead \|archive-url=https://web.archive.org/web/20070928100343/http://www.securityforest.com/downloads/educationtree/stack_overflows.pdf \|archive-date=September 28, 2007}} ~~{{Dead link\|date=July 2022}}~~</ref>		A stack buffer overflow can be caused deliberately as part of an attack known as '''stack smashing'''. If the affected program is running with special privileges, or accepts data from untrusted network hosts (e.g. a [[webserver]]) then the bug is a potential [[security vulnerability]]. If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. This is one of the oldest and more reliable methods for [[hacker (computer security)\|attackers]] to gain unauthorized access to a computer.<ref name="aleph1">{{cite journal \|last=Levy \|first=Elias \|author-link=Elias Levy \|title=Smashing The Stack for Fun and Profit \|journal=[[Phrack]] \|volume=7 \|issue=49 \|pages=14 \|date=1996-11-08 \|url=http://www.phrack.org/issues/49/14.html#article}}</ref><ref name="microsoft1">{{Cite journal \| doi = 10.1109/MSP.2004.36\| title = Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns\| journal = IEEE Security and Privacy Magazine\| volume = 2\| issue = 4\| pages = 20–27\| date=July–August 2004 \| last1 = Pincus \| first1 = J.\| last2 = Baker \| first2 = B.\| s2cid = 6647392\| url = http://www.cs.berkeley.edu/~daw/teaching/cs261-f07/reading/beyondsmashing.pdf}}</ref><ref name="forest">{{cite web\|author=Burebista<!-- [email protected] --> \|title=Stack Overflows \|url=http://www.securityforest.com/downloads/educationtree/stack_overflows.pdf \|url-status=dead \|archive-url=https://web.archive.org/web/20070928100343/http://www.securityforest.com/downloads/educationtree/stack_overflows.pdf \|archive-date=September 28, 2007}} </ref>

	==Exploiting stack buffer overflows==		==Exploiting stack buffer overflows==

TheCatCollective: Spacing wrt refs per MOS:REFSPACE

2024-12-08T10:31:25Z

Spacing wrt refs per MOS:REFSPACE

← Previous revision		Revision as of 10:31, 8 December 2024
Line 113:		Line 113:

	=== Bypass countermeasures ===		=== Bypass countermeasures ===
	The previous mitigations make the steps of the exploitation harder. But it is still possible to exploit a stack buffer overflow if some vulnerabilities are presents or if some conditions are met. <ref>{{Cite web \|last=Shoshitaishvili \|first=Yan \|title=Memory Errors, program security \|url=https://pwn.college/program-security/memory-errors/ \|access-date=2024-09-07 \|website=pwn college}}</ref>		The previous mitigations make the steps of the exploitation harder. But it is still possible to exploit a stack buffer overflow if some vulnerabilities are presents or if some conditions are met.<ref>{{Cite web \|last=Shoshitaishvili \|first=Yan \|title=Memory Errors, program security \|url=https://pwn.college/program-security/memory-errors/ \|access-date=2024-09-07 \|website=pwn college}}</ref>

	==== Stack canary bypass ====		==== Stack canary bypass ====

Citation bot: Removed parameters. | Use this bot. Report bugs. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox | #UCB_webform_linked 425/592

2024-10-10T19:10:12Z

Removed parameters. | Use this bot. Report bugs. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox | #UCB_webform_linked 425/592

← Previous revision		Revision as of 19:10, 10 October 2024
Line 113:		Line 113:

	=== Bypass countermeasures ===		=== Bypass countermeasures ===
	The previous mitigations make the steps of the exploitation harder. But it is still possible to exploit a stack buffer overflow if some vulnerabilities are presents or if some conditions are met. <ref>{{Cite web \|last=Shoshitaishvili \|first=Yan \|title=Memory Errors, program security \|url=https://pwn.college/program-security/memory-errors/ ~~\|url-status=live~~ \|access-date=2024-09-07 \|website=pwn college}}</ref>		The previous mitigations make the steps of the exploitation harder. But it is still possible to exploit a stack buffer overflow if some vulnerabilities are presents or if some conditions are met. <ref>{{Cite web \|last=Shoshitaishvili \|first=Yan \|title=Memory Errors, program security \|url=https://pwn.college/program-security/memory-errors/ \|access-date=2024-09-07 \|website=pwn college}}</ref>

	==== Stack canary bypass ====		==== Stack canary bypass ====

Gogo24: add source

2024-09-07T13:28:26Z

add source

← Previous revision		Revision as of 13:28, 7 September 2024
Line 113:		Line 113:

	=== Bypass countermeasures ===		=== Bypass countermeasures ===
	The previous mitigations make the steps of the exploitation harder. But it is still possible to exploit a stack buffer overflow if some vulnerabilities are presents or if some conditions are met.		The previous mitigations make the steps of the exploitation harder. But it is still possible to exploit a stack buffer overflow if some vulnerabilities are presents or if some conditions are met. <ref>{{Cite web \|last=Shoshitaishvili \|first=Yan \|title=Memory Errors, program security \|url=https://pwn.college/program-security/memory-errors/ \|url-status=live \|access-date=2024-09-07 \|website=pwn college}}</ref>

	==== Stack canary bypass ====		==== Stack canary bypass ====

49.205.84.62: /* Exploiting stack buffer overflows */ Fixed grammar

2024-05-12T07:41:03Z

Exploiting stack buffer overflows: Fixed grammar

← Previous revision		Revision as of 07:41, 12 May 2024
Line 37:		Line 37:
	\|}		\|}

	In figure C above, when an argument larger than 11 bytes is supplied on the command line <code>foo()</code> overwrites local stack data, the saved frame pointer, and most importantly, the return address. When <code>foo()</code> returns it pops the return address off the stack and jumps to that address (i.e. starts executing instructions from that address). Thus, the attacker has overwritten the return address with a pointer to the stack buffer <code>char c[12]</code>, which now contains attacker-supplied data. In an actual stack buffer overflow exploit the string of "A"'s would instead be [[shellcode]] suitable to the platform and desired function. If this program had special privileges (e.g. the [[setuid\|SUID]] bit set to run as the [[superuser]]), then the attacker could use this vulnerability to gain superuser privileges on the affected machine.<ref name="aleph1"/>		In figure C above, when an argument larger than 11 bytes is supplied on the command line <code>foo()</code> overwrites local stack data, the saved frame pointer, and most importantly, the return address. When <code>foo()</code> returns, it pops the return address off the stack and jumps to that address (i.e. starts executing instructions from that address). Thus, the attacker has overwritten the return address with a pointer to the stack buffer <code>char c[12]</code>, which now contains attacker-supplied data. In an actual stack buffer overflow exploit the string of "A"'s would instead be [[shellcode]] suitable to the platform and desired function. If this program had special privileges (e.g. the [[setuid\|SUID]] bit set to run as the [[superuser]]), then the attacker could use this vulnerability to gain superuser privileges on the affected machine.<ref name="aleph1"/>

	The attacker can also modify internal variable values to exploit some bugs.		The attacker can also modify internal variable values to exploit some bugs.

Citation bot: Add: s2cid, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Abductive | Category:Software anomalies | #UCB_Category 18/35

2024-02-20T11:23:44Z

Add: s2cid, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Abductive | Category:Software anomalies | #UCB_Category 18/35

← Previous revision		Revision as of 11:23, 20 February 2024
Line 78:		Line 78:
	return 0;		return 0;
	}		}
	</syntaxhighlight>There are typically two methods that are used to alter the stored address in the stack - direct and indirect. Attackers started developing indirect attacks, which have fewer dependencies, in order to bypass protection measures that were made to reduce direct attacks.<ref>{{Cite journal \|~~last~~=Kuperman \|~~first~~=Benjamin A. \|last2=Brodley \|first2=Carla E. \|last3=Ozdoganoglu \|first3=Hilmi \|last4=Vijaykumar \|first4=T. N. \|last5=Jalote \|first5=Ankit \|date=November 2005 \|title=Detection and prevention of stack buffer overflow attacks \|url=https://dl.acm.org/doi/10.1145/1096000.1096004 \|journal=Communications of the ACM \|language=en \|volume=48 \|issue=11 \|pages=50–56 \|doi=10.1145/1096000.1096004 \|issn=0001-0782}}</ref>		</syntaxhighlight>There are typically two methods that are used to alter the stored address in the stack - direct and indirect. Attackers started developing indirect attacks, which have fewer dependencies, in order to bypass protection measures that were made to reduce direct attacks.<ref>{{Cite journal \|last1=Kuperman \|first1=Benjamin A. \|last2=Brodley \|first2=Carla E. \|last3=Ozdoganoglu \|first3=Hilmi \|last4=Vijaykumar \|first4=T. N. \|last5=Jalote \|first5=Ankit \|date=November 2005 \|title=Detection and prevention of stack buffer overflow attacks \|url=https://dl.acm.org/doi/10.1145/1096000.1096004 \|journal=Communications of the ACM \|language=en \|volume=48 \|issue=11 \|pages=50–56 \|doi=10.1145/1096000.1096004 \|s2cid=120462 \|issn=0001-0782}}</ref>

	==Platform-related differences==		==Platform-related differences==

Keith D: Fix cite date error

2024-02-16T23:57:30Z

Fix cite date error

← Previous revision		Revision as of 23:57, 16 February 2024
Line 78:		Line 78:
	return 0;		return 0;
	}		}
	</syntaxhighlight>There are typically two methods that are used to alter the stored address in the stack - direct and indirect. Attackers started developing indirect attacks, which have fewer dependencies, in order to bypass protection measures that were made to reduce direct attacks.<ref>{{Cite journal \|last=Kuperman \|first=Benjamin A. \|last2=Brodley \|first2=Carla E. \|last3=Ozdoganoglu \|first3=Hilmi \|last4=Vijaykumar \|first4=T. N. \|last5=Jalote \|first5=Ankit \|date=2005~~-11~~ \|title=Detection and prevention of stack buffer overflow attacks \|url=https://dl.acm.org/doi/10.1145/1096000.1096004 \|journal=Communications of the ACM \|language=en \|volume=48 \|issue=11 \|pages=50–56 \|doi=10.1145/1096000.1096004 \|issn=0001-0782}}</ref>		</syntaxhighlight>There are typically two methods that are used to alter the stored address in the stack - direct and indirect. Attackers started developing indirect attacks, which have fewer dependencies, in order to bypass protection measures that were made to reduce direct attacks.<ref>{{Cite journal \|last=Kuperman \|first=Benjamin A. \|last2=Brodley \|first2=Carla E. \|last3=Ozdoganoglu \|first3=Hilmi \|last4=Vijaykumar \|first4=T. N. \|last5=Jalote \|first5=Ankit \|date=November 2005 \|title=Detection and prevention of stack buffer overflow attacks \|url=https://dl.acm.org/doi/10.1145/1096000.1096004 \|journal=Communications of the ACM \|language=en \|volume=48 \|issue=11 \|pages=50–56 \|doi=10.1145/1096000.1096004 \|issn=0001-0782}}</ref>

	==Platform-related differences==		==Platform-related differences==