Saturday, December 22, 2007

Heap 'Off By 1' Overflow Illustrated

I delivered a presentation at SANS CDI 2007 last Sunday, titled Heap 'Off By 1' Overflow Illustrated. It was based on my GCIH Gold paper A Heap o’ Trouble, Heap-based flag insertion buffer overflow in CVS.

The attack is a few years old now, but the 'off by one' technique is interesting: the attacker has a single unaccounted 'M' at his/her disposal, and that is enough to seize control of program execution. The shellcode is dropped in one character at a time, by subverting the heap's unlink process. I was able to follow the attack, byte-by-byte, thanks to liberal use of libvoodo, and some perl scripts.

The attack's author, vl4d1m1r of Ac1dB1tch3z, wrote his own analysis earlier this year in Phrack 64.

Fellow Sans Technical Institute student Manuel Humberto Santander Pelaez also delivered a presentation at CDI 2007 on Antiforensics.