Buffer Overflow / Buffer overrun

Introduction - What is a buffer overflow

There is yet another case of a Microsoft Buffer Overrun exploit.  But what is a Buffer overrun.
Many sites on the internet go into great detail with program code to explain this, I will try to explain it here in simple terms.

First of all, a Buffer

A Buffer is an amount of memory set aside for storing information.  For example, a program has to remember certain things, like what you typed in the last box, and what you entered on the last screen etc...  This information is stored in memory.

For example, a program might want to remember the ages of 10 people.  The programmer tells the computer to store a space for 10 numbers.  This is an example of a buffer.

What if someone enters 11 numbers

If someone enters 11 numbers, a buffer overflow has occurred.  Many programs are written in C and C++ and a process known as bounds checking is NOT performed.  This means areas of memory just beyond the bounds of the buffer are allowed to be written into, no checking occurs.

Fig.1 How it should be

Fig.2 What happened

As can be seen, instead of using the 10 available memory slots, it used another one of the free memory.
Because the program accessed free memory, nothing bad happens.  At worst, you get an error message later on.

Now imagine this

Same situation, 10 reserved slots for numbers, but 11 entered.

Fig.3 How it should have been

Fig.4 What happened

The extra number has now written into the program space of the other program.  The other program will now crash, or the numbers program will crash because it tried to perform something illegal.  "Illegal Operation" occurs in these cases, and if you ever used Windows 98, you'll remember these!

What if...intentionally someone put a program code into this unreserved space

Now you have it!  Someone malicious works out that this simple number program carries on taking numbers forever until it reaches the end of memory.  So a malicious person comes along and starts putting in machine instruction codes in numbers 11-??.  Then when the operating system comes along to execute the other program, it instead executes the malicious code.  This code could contain instructions to download a virus off the internet, and put it on your pc and run it.

How to protect

This kind of problem is not a virus or a trojan issue, but an issue in the software.  So always look for the software patches and install them when available.  Windows has a few errors of this nature, and so critical updates should always be performed.  People do really spend their lives looking for exploits like this to cause problems, it could gain them root (powerful) access to systems, which could let them do anything from delete files, to delete users and shutdown huge servers.

Programmers

Programmers should be wary of using functions that don't perform bounds checking.  This includes functions in C such as gets() or strcpy().  They should when necessary perform their own bounds checking.  Other languages such as pascal will not allow buffer overflows to occur.

Example C code for buffer overflow

void causeAnOverflow(char *aName) {
   char myNameBuffer[5];
   strcpy(myNameBuffer,aName);
}

int main(int argc, char *argv[]) {
   char *usersName = "Freddy";

  causeAnOverflow(usersName);
}

The main program function sends "Freddy" to the causeAnOverflow function.  This function has reserved 5 bytes of memory to put in the users name.  The function then copies the users name into the myNameBuffer, hence trying to put 6 bytes into 5.  An Overflow occurs.