Buffer Overflows and Integer Overflows – CompTIA Security+ SY0-401: 3.5

A poorly developed application can allow the bad guys to manipulate memory using buffer overflows and integer overflows. In this video, you’ll learn how an overflow works and what you can do to prevent these security issues.

<< Previous Video: Directory Traversal and Command InjectionNext: Zero-Day Attacks >>

An integer is a whole number. So the number seven is an integer. The number 7.1 would not be an integer because it has a decimal place or a fraction associated with it. Negative numbers can also be integers. So 32 and negative 32 are both integers. Usually there is a fixed boundary when we’re developing applications for these integers and you assign a variable to cover the range between, say, negative 32 and 32. So every possible number between those would be an integer that we could store for that particular variable. The problem is if we don’t do a proper job of developing that software, that are software may allow that number to go a bit out of bounds.

But since it’s such a restrictive area, once you go from 30 to 31 to 32 instead of going up to 33– which is outside the scope for that variable– it’s possible that you roll all the way to the other end of the range. So you could go from 32 to negative 32 to negative 31 and work your way back up that way. This is a bit of a problem when you’re developing software because you don’t want these variables to be something unexpected.

For instance, if you were allocating a space in memory– you were creating a buffer area to store some other information and the size of that area was based on this integer, and we were expecting the integer to be 32. But when we’re ready to allocate the space, instead of having a 32 as represented as that integer, it’s now a negative 32. And obviously we can’t allocate a negative amount of space in memory, and our application would fail. These are the types of vulnerabilities that the bad guys are looking for. They know if they can overflow that variable and make the integer for buffer allocation be negative that they can cause that application to fail. And this is a perfect opportunity to create a denial of service for this application.

A buffer overflow is a different kind of overflow. Buffers are areas that are allocated in memory and we put information into those areas. Before anything can be written into memory, the developer has to carve out a little space inside of the memory of your computer and that’s where they’re going to store a lot of the variables and information that they need during the execution of that application. The developers, though, need to be very careful about how they check what you’re putting into that buffer. You have a buffer set to a certain size, you don’t want to allow someone to store something larger into that buffer or you’ll have a situation where you have a buffer overflow. And buffer overflows can be very powerful for the bad guys when used in a very particular way.

But it’s really difficult to find that particular situation where you can overflow a buffer, do it in a way that you can always expect a certain outcome, and avoid crashing the computer, Instead have the computer provide you with something special like root access or administrator access to the operating system. So if you can repeat that buffer overflow over and over, then every system that is using that application or that operating system that is susceptible to the overflow will now be accessible to the bad guys, as well. And that’s what we’re trying to avoid we try to patch or applications that might be susceptible to a buffer overflow.

This is a visual representation of what a buffer overflow might look like in a very simplified way. But it does speak to how you were able to manipulate information by taking advantage of a buffer overflow. In memory we have a variable A and a variable B. And currently variable A has not been allocated anything. No one has put information into that buffer. It’s got a number of bytes available but nothing has been added to that particular area in memory yet. Variable B, however, does have information in memory. It has the number 1979 in decimal– which hexadecimal is zero seven BB.

The bad guys have determined that if they can change variable B, then they might have additional access to your computer. What they’re going to try to do is change this byte, which is hexadecimal zero seven, they want to change that to something else. So what they’ll do is add information into variable A that is going to overflow into variable B. And what we’ll do is we’ll add a value of excessive. This is e- x- c- e- s- s- i- v- e and in the end would normally be an e.

You can see this overflows into the next byte. And if you look at the hexadecimal value of B now, it’s changed because the number 65 is in the front of it. So six five zero zero in decimal is 25,856, which is a very different number then was there originally. All we did was change what was stored in A and we somehow were able to modify what was stored for B and that’s not supposed to happen. That’s your buffer overflow, and at this point the bad guy may be manipulating variables to do whatever they’d like to on your system.