Hackernoon logoStack Overflow Vulnerability by@botman1001

Stack Overflow Vulnerability

Author profile picture

@botman1001Abhishek Singh Thakur

Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacent memory location causing program to crash. This is know as buffer overflow.
Stack Overflow is an old vulnerability. We will see this vulnerabiltiy in the C or C++ languages, because in these languages we can use pointer freely. An attacker or hacker can use this vulnerability to exploit the system. To understand Stack Overflow we need to understand what happens in the background or in the stack when a program executes.
A Stack is a LIFO(Last In First Out) data structure. It support two operations PUSH and POP. To enter a value on the stack we use PUSH operation and to remove a value from the stack we use POP operation. When a program is compiled its memory is divided into five segments – text, data, bss, heap and stack. In text segment machine language instructions or assembly language instructions are stored.
Data segment is used to store initialized global and static variables and bss segment is used to store uninitialized variables. Heap segment is used to dynamically allocate memory.
Stack segment is used as temporary storage to store local function variable when the function is call. Stack overflow is concerned with this stack segment. In x86 Architecture stack grows from high memory address to low memory address.
Different architectures have different memory layouts.
When a function with arguments is called by a caller function, first the parameters in the callee function (or called function) are pushed onto the stack from right to left. Then the return address is pushed onto the stack. After the callee function’s execution is completed this return address jump to location at which to continue execution after the callee function is executed. Then local variables are pushed onto the stack.
A register Stack Pointer (ESP) is used to track top of the stack and it changes when an item is pushed onto or poped from the stack. A register Base Pointer(EBP) is used to point to local variables of the function. This complete collection for a function on stack is known as Stack Frame. These stack frames are pushed onto the stack when a function is called and popped from the stack when its execution is completed.
Here is a simple C program to understand this.
#include <stdio.h>

int sum(int a, int b)
{
      int c;
      c = a + b;
      return c;
}

void main()
{
    int a = 4, b = 5;
    int c = sum(a, b);    
    printf(“Sum is : %d”, c);
}
Now lets understand stack buffer overflow with a simple example.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void check_user()
{
	char a = 'D';
	char buf[4];

	strcpy(buf, "AAAAA");
	
	if (a == 'A')
	{
		printf("Correct password\n");
	}
	else
	{
		printf("Wrong password\n");
	}
}	

int main()
{

	check_user();
	return 0;
}
In function
check_user
, to print “Correct password”,
a
must be equal to “A” and using
strcpy
function we have passed 5 characters while the size of buffer is 4. So the extra character will overflow and it will overwrite the value of
a
from “D” to “A”.
Here is the stack frame of function
check_user
Modern systems doesn’t allow buffer-overflow, so to test it on a system add
-fno-stack-protector
with command while compiling.
The code was compiled and run on Ubuntu 18.04.
We are able to overwrite variable because of function
strcpy()
. It doesn’t allow bound checking means it doesn’t check the size of the data being entered.
Originally posted at Programmercave

Tags

The Noonification banner

Subscribe to get your daily round-up of top tech stories!