How buffer overflow exploits occur
Attackers use buffer overflow exploits to run executable code by overflowing the fixed-size memory buffers reserved for an input process. This code lets the attacker take over the target computer or compromise its data.
The following process describes stack-based buffer overflow attacks:
- Normal stack memory process — The fixed-size stack memory object is usually empty and waiting for user input. When a program receives input from the user, such as their name, the data is stored on top of the stack and assigned a return memory address. When the stack is processed, the user’s input is sent to the return address specified by the program.
- Overflowing the stack — When the program is written, a specific amount of memory space is reserved for the data. The stack overflows if the data written is larger than the space reserved for it within the memory stack. This is only a problem when combined with malicious input.
- Exploiting the overflow — If the program is waiting for a user to enter their name, but the attacker enters an executable command that exceeds the stack size, that command is saved outside of the reserved space.
- Running the malicious code — The command is not automatically run just because it exceeds the stack buffer space. But it could be if a return address that points to the malicious command is provided by the attacker. Initially the program starts to crash because of the buffer overflow, but the program tries to recover by using the return address provided by the attacker. If the return address is a valid address, the malicious command is executed.
- Exploiting the permissions — Since programs usually run either in kernel mode or with permissions inherited from a service account, the malicious code is now running with the same permissions as the application that was compromised. This could mean the attacker can gain full control of the operating system.