What do the WannaCry ransomware (2017), the Apache Struts attack (2017), and SQL Slammer worm (2003) have in common? They are cyber threats that take advantage of the buffer overflow error.
WannaCry was able to infect thousands of devices by exploiting a buffer overflow vulnerability in the Windows Server Message Block (SMB) protocol. The Apache Struts attack targeted a vulnerability that made it possible for arbitrary code to be executed on Struts servers that had a buffer overflow in the Jakarta Multipart parser. SQL Slammer worm, on the other hand, used a buffer overflow issue in the SQL Server Resolution Service.
Buffer overflow is a significant threat, especially nowadays, with the mushrooming of web services and IoT devices. Nearly all web servers, application servers, as well as web app environments, can develop this type of dangerous error. IoT is also associated with the buffer overflow problem.
The threat of buffer overflow attacks
How is a buffer overflow attack a threat when it is ‘merely’ the error of writing more data than what a temporary data storage, the buffer, is meant to handle? A buffer overflow attack usually results in the crashing or unresponsiveness of a program. It seems unlikely for a crashed program to become a tool for threat actors.
However, it’s important to highlight that buffer overflows do not always result in crashes. In some cases, they create an anomaly that makes it possible to execute a code on a system. Threat actors can exploit this opportunity to run malicious code on the system they target.
Buffer overflows happen to programs that do not have input size and format validation measures. Hackers can send data that goes beyond the buffer capacity of a program, which encounters a logic confusion that causes the overwriting of a part of a program’s memory. This enables the execution of malicious code or allows the takeover of a system.
Buffer overflows are quite common. They frequently occur in old and legacy systems, usually with software or apps that are not being maintained. They can also occur in run-of-the-mill software or those that have been hastily built to be deployed in mass-produced devices like IoT gadgets and wearables.
Aiding threats
Buffer overflow is not the problem or attack itself. It is more of a tool that helps threat actors in propagating their attacks. The Common Weakness Enumeration (CWE) lists three buffer overflow variants that have allowed cybercriminals to breach cyber defenses.
- CWE-119 – The descriptive name of this error is “Inadequate Restriction of Operations in the Memory Buffer.” Many software operations take place in a memory buffer. In some programming languages, these operations can be directed to specific memory locations, but they do not have the ability to automatically inspect the propriety or correctness of the locations. As such, software operations can be executed on memory locations with different variables and data structures. This allows attackers to take over a system.
- CWE-120 – Also known as “Buffer Copy without Checking Size of Input,” this vulnerability exists in programs that do not have input size and format validation mechanisms. This alone may not create the opportunity to execute malicious code, but it can be used as an indicator of the state of security of certain apps or systems. If a vulnerability like this exists, it is highly likely for other security issues to similarly exist.
- CWE-121 – This is the “Stack-Based Buffer Overflow,” a form of buffer overflow that occurs when a buffer allocated on the (program) execution stack is being overwritten. The execution stack usually holds critical data such as return addresses and local variables for a particular function. If this vulnerability exists in a program, threat actors can use buffer overflow to overwrite the data on the execution stack and execute malicious arbitrary code.
How buffer overflow attacks happen
Threat actors undertake buffer overflow attacks through a number of steps. The first is the identification of a vulnerable program. The targets, as mentioned, are usually old, legacy, or poorly-written programs. However, some new commonly used programs may also bear this vulnerability. Cybercriminals relentlessly and aggressively look for these targets.
Once the target is identified, the “suitable” malicious input is created. Again this requires the persistence and malicious craftiness of threat actors. It’s a tedious process but they are willing to repeatedly do trial-and-error sessions until they finally find the malicious code that can work on the vulnerable system they are targeting.
The malicious code they are building should not only trigger a buffer overflow error that causes crashing. More importantly, their code has to overwrite a program’s memory and execute arbitrary code remotely. This arbitrary code can configure new values for the return pointer, which then enables the modification of a program’s execution path and the transfer control.
Buffer overflow in IoT devices
The Internet of Things is particularly susceptible to buffer overflow attacks. This is mainly because of three reasons: the use of C or C++, poorly written software, and the careless use or re-use/retooling of programs across a multitude of devices.
Most cases of buffer overflows happen in programs written in C/C++. Also, C/C++ is one of the most popular programming languages used to write software for IoT devices. It should not come as a surprise that buffer overflows and expanding IoT ecosystems have significant contributions to broadening cyber risks.
Also, since IoT devices are meant to perform very specific tasks, the firmware or software deployed in them is usually not meticulously written. Often, their software is like “Frankenstein ware” made of open source and other freely sourced code and components. Efficient memory management is usually not a concern for those responsible for writing the software or firmware that run IoT devices.
Moreover, it is common practice for many IoT device manufacturers to use standard programs and libraries in their products. They rarely build new software for new products. If the software they installed in previous batches of products contained buffer overflow vulnerabilities, it is probable that newer products will also carry the same vulnerability.
Addressing the buffer overflow vulnerability
Buffer overflow attacks are not a new problem, but they persist because of waffling efforts to address the buffer overflow vulnerability. Buffer overflow is not a highly complex problem that requires a sophisticated solution. However, dealing with it is tedious and exhausting. Fortunately, new security technologies have been developed to contain this threat, for IoT devices in particular. There are IoT security and observability platforms that help ensure the security of device software before they are deployed.
Buffer overflow may appear like a trivial security weakness, especially as the SANS Top 25 Most Dangerous Software Errors no longer includes two buffer overflow errors (CWE-120 and CWE-122) from its list. However, it is a vulnerability that should not be downplayed. Its risks increase exponentially with the growing use of IoT and connected devices, web apps, and web services.
