74
votes
Accepted
Is there any security risk in not setting a maximum password length?
A limit is recommended simply to avoid exhausting resources on the server.
Without a limit, an attacker could call the login endpoint with an extremely large password, say a gigabyte (let's ignore ...
- 4,341
71
votes
Accepted
Does a buffer overflow vulnerability always mean a code execution vulnerability?
No, a buffer overflow might:
Be against a buffer on the heap not the stack. This might still lead to code execution but will be much more complicated to exploit.
Be limited in size, so not able to ...
- 2,014
47
votes
Does a buffer overflow vulnerability always mean a code execution vulnerability?
Douglas gives a correct answer. Not all buffer overflows give code execution. However, I felt it was missing a very important caution.
Even if a buffer overflow does not allow arbitrary code ...
- 1,917
32
votes
Accepted
Concept of Jump-Oriented-Programming (JOP)
A lot of your questions are duplicates here so I'll cover them very briefly. Suffice to say that all of this has been a decades-long arms race between exploit developers and OS / compiler developers.
...
- 136k
26
votes
Accepted
Is it possible to find a buffer overflow in WordPress?
As PHP does memory management and a lot of stuff by itself, finding a buffer overflow specifically in WordPress doesn't really make sense to me.
Before discrediting that Penetration Tester, I'd ask ...
- 963
26
votes
Accepted
Given extensive protections in modern operating systems that make buffer overflow exploits unfeasible, should I even bother studying these?
If exploitation only becomes feasible when protections are deliberately disabled, doesn’t this shift the issue from being a vulnerability to a misconfiguration problem?
Security misconfiguration is ...
- 1,525
20
votes
Is it possible to find a buffer overflow in WordPress?
It could be that he found a buffer overflow in PHP or glibc which can be exploited via Wordpress. For example, 3 years ago there was a hole in gethostbyname() which could be exploited via Wordpress. ...
- 2,721
20
votes
Accepted
Can buffer overflow attacks become impossible?
Your definition of a buffer overflow is correct. There are multiple approaches to solving this problem. What you describe is called bounds checking and is implemented in many high-level languages (e.g....
- 38.3k
15
votes
Do high level languages allow for buffer / heap overflow?
"level" of a programming languages is not a particularly well-defined concept.
C++ for example would generally be regarded as a higher-level language then C but it still leaves the user open ...
- 5,480
12
votes
Accepted
Why JMP ESP instead of directly jumping into the stack
Your exploit payload ends up on the stack because you're overflowing a buffer on the stack, and this is how you gain control of the return address as well.
ESP points directly to the start of your ...
- 918
11
votes
Is there any security risk in not setting a maximum password length?
Passwords should be hashed/salted. In addition to possible DoS attack risk from GB-size passwords, OWASP recommends limiting the password length because:
Some hashing algorithms such as Bcrypt have a ...
- 941
8
votes
Given extensive protections in modern operating systems that make buffer overflow exploits unfeasible, should I even bother studying these?
In addition to the other answers, it's probably worth mentioning that the protections you quote are mostly there to prevent injection of code to execute (e.g. I send data that exceed the buffer, the ...
- 4,210
6
votes
Is it possible to find a buffer overflow in WordPress?
As GxTruth mentioned, PHP does memory management. This means anything running on php is basically as secure against buffer overflows as php is (unless you're doing something really crazy).
But php ...
- 1,746
6
votes
Accepted
Why would legitimate programs have a `jmp esp` instruction?
The instruction jmp esp is encoded as FF E4. It’s not necessary to find an actual jmp instruction, just those bytes in the middle of any other code or data.
This is the basis for return oriented ...
- 754
5
votes
Accepted
Return-to-libc Attack mystery
This depends a little bit on the mitigations employed by the host. If you do not have ALSR on the target (rare on modern systems), and you know what OS they are running (e.g., Ubuntu 16.04), you can ...
- 16.2k
5
votes
Accepted
Buffer overflow: Why does the ESP Register change its value after access violation
As you correctly pointed out ESP always points at the top of the stack. Also stack overflows occur due to an overflow of a buffer on the stack (not due to an overflow of lets say a malloc-allocated ...
- 635
5
votes
Accepted
Buffer overflows on the heap vs the stack
With a stack overflow - if you just keep overflowing - you overflow first locals vars, then saved registers, then the return address, then function arguments, then stuff further down the stack, maybe ...
- 1,121
5
votes
Accepted
How do we secure image parsing libraries against buffer overflow?
There are a couple of obvious things which are not limited to image parsing libraries:
Don't assume that the input is well-formed but actually check it. It is actually a common problem with image or ...
- 213k
5
votes
Accepted
Find Buffer Overflows at a target you want to gain access
As schroeder has already pointed out, to identify buffer overflow vulnerabilities, you'd need to test the application locally with a debugger. It seems to me that you haven't actually gone through the ...
- 305
4
votes
Accepted
return to libc- finding libc's address and finding offsets
First, before you can approach your problem, you need to check if the executable is running under ASLR (https://en.wikipedia.org/wiki/Address_space_layout_randomization)
If that's the case, you will ...
- 66
4
votes
Buffer Overflow doesn't have enough space for exploit after being crashed
Assuming that you're talking about a vanilla EIP overwrite and not something like SEH, you have two options available to you. Neither of these are what I would consider to be "beginner" techniques as ...
- 9,217
4
votes
Accepted
Why do registers get overwritten upon overflow?
Buffer overflows do not directly modify registers; rather, they are used to overwrite the function return address (the first element in the function's stack frame, 4(%ebp) in x86) and place custom ...
- 1,299
4
votes
Why do we use little endian in buffer overflow attacks?
Why do we reverse the address/use little endian in buffer overflow attacks?
This statement isn't always true. On a big endian system, you would not represent the data in little endian.
On a little ...
- 13.4k
4
votes
Is it possible to find a buffer overflow in WordPress?
It's probably one of those four:
He might not know the proper name, and call something like hashdos a "buffer overflow" because it fills the array to such an extent that it becomes unresponsive or ...
- 33.3k
4
votes
Accepted
Buffer overflow: How is it actually implemented in a pen testing environment?
Most of the times you'll have to emulate the target's system and develop your exploit locally. About how to learn about the target's system, that has to do with the enumeration process. Of course ...
- 635
4
votes
Accepted
How does this simple buffer overflow work?
That's due to an alignment to 16 bytes, which compilers do on x86(_64) for compatibility with SIMD instructions that operate on 128 bits (16 bytes). Due to that there is some "padding" between the ...
- 1,464
4
votes
Accepted
Can stack overflow be prevented by pushing return address first?
The main reasons are that it is inconvenient, results in sub-optimal code, requires prior knowledge of function stack size, limits performance, violates the specification of many calling conventions, ...
- 136k
4
votes
Problem with overwriting the return address (buffer overflow)
It is not rbp what you have to control, but the instruction pointer rip. When the function returns, ret instruction will take whatever is at the top of the stack and send execution there. So, notice ...
- 153
4
votes
Accepted
Is Objective C (really) affected by buffer overflows?
Edit: Added code sample
Objective-C is a superset of C; anything you can do with C can be done with Objective-C and that includes lots of things you probably don't want to do (like buffer overflows). ...
- 53.9k
Only top scored, non community-wiki answers of a minimum length are eligible