tags:

views:

878

answers:

1
+7  Q: 

heap overflow attacks

How heap overflow attacks are done?

In case of stackoverflow attacks, the attacker replaces the function return address with his address.

How this is done in heap overflow attacks? Also, is it possible to run code from heap?

+11  A: 

Note this varies by platform, and my example is overly simplified. It basically comes down to heap managers having linked lists that could be overrun, and you can use the linked list pointers to overwrite random parts of the process's memory.

Imagine I have a naive heap implementation whose control blocks are like this:

struct HeapBlockHeader
{
    HeapBlockHeader* next;
    HeapBlockHeader* prev;
    int size;

    // Actual heap buffer follows this structure.
};

When the heap gets freed, this control block goes back into a list of freed blocks, by modifying the next/prev pointer. If I overrun a heap buffer, I can overwrite the pointers in the next control block with data I control. Suppose I override these links to point to a pointer to code (probably just in the buffer I overran) and to the return address of the function on the stack. When the heap manager tries to link the block back into a freed list, it will actually overwrite the return address on the stack with a pointer to code I control.

This article has a nice overview on heap overflow attacks: http://www.h-online.com/security/A-Heap-of-Risk--/features/74634

This article describes some of the hardening that went into Vista's heap manager to prevent this sort of attack: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Marinescu.pdf

EDIT: On possibility to run code from heap, yes it's possible. Many platforms now make heap memory non-executable by default which raises the barrier to getting arbitrary code to run. However, you can still do a "jump to libc" style attack - Overwrite the return address to a known function which will be executable.

Michael  2009-03-20 17:52:09
Great answer - I feel that I know a lot about my particular areas of programming, but I've never been able to dive into compilers, memory management, protection mechanisms - knowing where the processor's responsibities stop and the OS's start. Then again between OS and app code. I've read the intel x86 manual (vol 1) cover to cover. How did you come to learn these things?
uosɐſ  2009-11-07 19:33:34

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security