Next: Format String Bugs
Up: Buffer Overflows and Other
Previous: Stackguard vs. Libsafe
So far, we've dwelt on a very specific type of memory corruption bugs:
overflowing a buffer on the stack, and overwriting the return address.
Overflowing buffers on the stack is definitely a very convenient
bug (from a cracker's perspective) because the mechanics of
this bug are very well understood, and canned exploits that can
be adapted with a minimum of expertise are available everywhere.
There are other problems however that are also worth mentioning.
- Heap memory corruption
- Exploiting memory corruption on the heap (i.e. of memory allocated
dynamically via malloc) is much less common, and a lot
harder as well because success depends a lot on characteristics of
the program being attacked, and internals of the malloc
implementation.
However, there are several cases where memory corruption on the
heap has been exploited as well.
- Single byte overflows
- Overflowing a buffer by a single byte (in the case of C strings,
this would usually be the terminating zero byte) may seem
harmless, but it isn't. There's at least one documented example
where a single byte overflow was exploitable.
I'm not going into this in much detail here because the
technical details are fairly cumbersome; suffice it to say
that single byte overflows are bad, too.
- Format bugs
- This is a fairly recent type of bug which I'll discuss in the
following section.
Next: Format String Bugs
Up: Buffer Overflows and Other
Previous: Stackguard vs. Libsafe
Olaf Kirch
2002-01-16