Buffer Overflows

原创 2007年09月14日 03:30:00
No, I’m not talking about the kind of buffer overflows that viruses can take advantage of to inject malicious code onto other systems, I’m talking about the kind that, if you use Filemon or Regmon, you’ve probably seen in their traces. If you’ve never noticed one, fire up one of those two tools and after collecting a log of system-wide activity, find an example by searching for “buffer overflow”. Here’s an example of file system buffer overflow errors:

Do these errors indicate a problem? No, they are a standard way for the system to indicate that there’s more information available than can fit into a requester’s output buffer. In other words, the system is telling the caller that if it was to copy all the data requested, it would overflow the buffer. Thus, the error really means that a buffer overflow was avoided, not that one occurred.

Given that a buffer overflow means that a requester didn’t receive all the data that they asked for you’d expect programmers to avoid them, or when they can’t, to follow with another request specifying a buffer large enough for the data. However, in the Filemon trace neither case applies. Instead, there are two different requests in a row, each resulting in buffer overflow errors. In the first request the Csrss.exe process, which is the Windows environment subsystem process, queries information about a file system volume and in the second request it queries information about a particular file. It doesn’t follow up with successful requests, but continues with other activity.

The answer to why Csrss.exe doesn’t care that its requests result in errors lies in the type of requests it’s making. A program that queries volume information using Windows APIs is underneath using the NtQueryVolumeInformationFile API that’s exported by Ntdll.dll, the Native API export DLL (you can read more about the Native API here). There are several different classes of information that a program can query. The one that Csrss is asking for in the trace is FileFsVolumeInformation. The Windows Installable File System (IFS) Kit documents that for that class a caller should expect output data to be formatted as a FILE_FS_VOLUME_INFORMATION structure, which looks like this:

LARGE_INTEGER VolumeCreationTime;
ULONG VolumeSerialNumber;
ULONG VolumeLabelLength;
BOOLEAN SupportsObjects;
WCHAR VolumeLabel[1];

Notice that the first four fields in the structure have a fixed length while the last field, VolumeLabel, has a size that depends on the length of the volume’s label string.

When a file system driver gets this type of query it fills in as much information as fits in the caller’s buffer and, if the buffer is too small to hold the entire structure, returns a buffer overflow error and the size of the buffer required to hold all the data. I suspect that Csrss is really only interested in the volume creation time and therefore passing in a buffer only large enough to hold the first part of the structure. The file system driver fills that part in, and because the volume label won’t fit in Csrss’s buffer, returns an error. However, Csrss has gotten the information it wanted and ignores the error.

The second buffer overflow has a similar explaination. Csrss is querying information about a file using the FileAllInformation class of NtQueryInformationFile. The IFS Kit documents the output structure as:

typedef struct _FILE_ALL_INFORMATION {

Again, the only variable length field is the last one, which stores the name of the file being queried. If Csrss doesn’t care about the name, only the information preceding it in the structure, it can pass a buffer only large enough to hold those fields and ignore the buffer overflow error.

Incidentally, a stack trace of the second buffer overflow reveals this:

What is the "sxs" module? A look at the sxs DLL in Process Explorer’s DLL View of the Csrss process shows this:

SxS is the “Fusion” DLL, which a little research will show manages the Side-by-Side Assembly storage that allows multiple versions of the same DLLs to exist in harmony on a system. SxS is calling GetFileInformationByHandle, which is a Windows API documented in the Platform SDK. The API takes a file handle as input and returns a buffer formatted as a BY_HANDLE_FILE_INFORMATION structure:

DWORD dwFileAttributes;
FILETIME ftCreationTime;
FILETIME ftLastAccessTime;
FILETIME ftLastWriteTime;
DWORD dwVolumeSerialNumber;
DWORD nFileSizeHigh;
DWORD nFileSizeLow;
DWORD nNumberOfLinks;
DWORD nFileIndexHigh;
DWORD nFileIndexLow;

All of the information returned in this structure, except for the volume serial number, is also returned in the FILE_ALL_INFORMATION structure. You can therefore probably guess where the call to NtQueryVolumeInformationFile that occurs immediately prior to the NtQueryInformationFile call originates: GetFileInformationByHandle first queries the volume in order to get its serial number.

Our investigation shows that the buffer overflow errors seen in the Filemon trace are errors expected by the GetFileInformationByHandle API, which is simply avoiding the need to allocate buffers large enough to hold information it’s not interested in. The bottom line is that buffer overflow errors in a Filemon trace are not an indication that there's a security problem and are usually not due to bad programming.

Next time I’ll explore buffer overflows in Regmon traces. 

Lab 1: Buffer Overflows

课程主页: http://staff.ustc.edu.cn/~bjhua/courses/security/2014/labs/lab1/index.html Lab Overview 这里介绍...
  • zat111
  • zat111
  • 2014年11月26日 00:25
  • 789

Buffer Overflows in Regmon Traces

Last time I talked about buffer overflow errors that you might see in Filemon traces. Now I’ll turn ...
  • iiprogram
  • iiprogram
  • 2007年09月14日 03:33
  • 692

WebGoat实验之Buffer Overflow(缓冲区溢出)- 2016.01.08

Buffer Overflow(缓冲区溢出),这已经是一个老生常谈的话题了,不仅在软件的制作上回出现这样的问题,其实在网络上也存在这样的问题。更准确的说应该是在有用户输入的地方都存在缓冲区溢出的可能性...
  • baishileily
  • baishileily
  • 2016年01月08日 23:57
  • 1003

Win32 Buffer Overflows

--------[ dark spyrit AKA Barnaby Jack   ]----[  Abstract"If you assume that theres no hope, you gua...
  • iiprogram
  • iiprogram
  • 2006年03月21日 21:25
  • 1892

Buffer overflows 缓冲区溢出

}  Buffer overflows 缓冲区溢出 }  软件安全最大的威胁----缓冲区溢出 }  缓冲区溢出导致的问题已经数十年了,最著名的例子是1988年的网络蠕虫 }  1999年CERT/C...
  • baidu_30360575
  • baidu_30360575
  • 2016年02月18日 10:41
  • 603

How to write Buffer Overflows

Mudge博士于1995年发表的论文:《How to write Buffer Overflows》 http://insecure.org/stf/mudge_buffer_overflow_tu...
  • feier7501
  • feier7501
  • 2013年05月28日 15:23
  • 755

Swift Compiler Error Integer literal overflows when stored into 'UInt8'

Swift Compiler Error Integer literal overflows when stored into 'UInt8'
  • soindy
  • soindy
  • 2015年07月06日 11:56
  • 1470

Shellcode locations and buffer overflows in Windows

  ///////////////////////////////////////////////////////////////////////////////////// [*][-][*]...
  • iiprogram
  • iiprogram
  • 2008年08月26日 00:18
  • 715

WebGoat第五关:Buffer Overflows

缓冲区溢出攻击,多么cooooooooooooool的名字。 然后。。。然后就没有然后了。。。。。 我只发图,不说话。。。。...
  • ROger__wonG
  • ROger__wonG
  • 2012年09月24日 20:40
  • 1771

Handling oprofile sample buffer overflows

  • kelsel
  • kelsel
  • 2016年10月08日 16:54
  • 115
您举报文章:Buffer Overflows