Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.

How does a Overflow Buffers attack work?

It typically unfolds over 4 phases. It begins with: [Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

How do you prevent CAPEC-100?

Use a language or compiler that performs automatic bounds checking.

What weaknesses does CAPEC-100 target?

CAPEC-100 exploits 6 CWE weaknesses, including CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')), CWE-129 (Improper Validation of Array Index), CWE-131 (Incorrect Calculation of Buffer Size).

How severe is CAPEC-100?

MITRE rates CAPEC-100 as Very High severity with high likelihood of attack.

CAPEC-100: Overflow Buffers

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.
Step 2
Experiment
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
- Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.
Step 3
Experiment
[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
Step 4
Exploit
[Overflow the buffer] Using the injection vector, the adversary injects the crafted overflow content into the buffer.

How the attack works

CAPEC-100: Overflow Buffers

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-100?

How does a Overflow Buffers attack work?

How do you prevent CAPEC-100?

What weaknesses does CAPEC-100 target?

How severe is CAPEC-100?

References

Defend against CAPEC-100

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Child

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-100?

How does a Overflow Buffers attack work?

How do you prevent CAPEC-100?

What weaknesses does CAPEC-100 target?

How severe is CAPEC-100?

References

Defend against CAPEC-100