Heap overflow - Wikipedia

A heap overflow, heap overrun, or heap smashing is a type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a ... Heapoverflow FromWikipedia,thefreeencyclopedia Jumptonavigation Jumptosearch Aheapoverflow,heapoverrun,orheapsmashingisatypeofbufferoverflowthatoccursintheheapdataarea.Heapoverflowsareexploitableinadifferentmannertothatofstack-basedoverflows.Memoryontheheapisdynamicallyallocatedatruntimeandtypicallycontainsprogramdata.Exploitationisperformedbycorruptingthisdatainspecificwaystocausetheapplicationtooverwriteinternalstructuressuchaslinkedlistpointers.Thecanonicalheapoverflowtechniqueoverwritesdynamicmemoryallocationlinkage(suchasmallocmetadata)andusestheresultingpointerexchangetooverwriteaprogramfunctionpointer. Forexample,onolderversionsofLinux,twobuffersallocatednexttoeachotherontheheapcouldresultinthefirstbufferoverwritingthesecondbuffer'smetadata.Bysettingthein-usebittozeroofthesecondbufferandsettingthelengthtoasmallnegativevaluewhichallowsnullbytestobecopied,whentheprogramcallsfree()onthefirstbufferitwillattempttomergethesetwobuffersintoasinglebuffer.Whenthishappens,thebufferthatisassumedtobefreedwillbeexpectedtoholdtwopointersFDandBKinthefirst8bytesoftheformerlyallocatedbuffer.BKgetswrittenintoFDandcanbeusedtooverwriteapointer. Contents 1Consequences 2Detectionandprevention 3Seealso 4References 5Externallinks Consequences[edit] Anaccidentaloverflowmayresultindatacorruptionorunexpectedbehaviorbyanyprocessthataccessestheaffectedmemoryarea.Onoperatingsystemswithoutmemoryprotection,thiscouldbeanyprocessonthesystem. Forexample,aMicrosoftJPEGGDI+bufferoverflowvulnerabilitycouldallowremoteexecutionofcodeontheaffectedmachine.[1] iOSjailbreakingoftenusesheapoverflowstogainarbitrarycodeexecution. Detectionandprevention[edit] Aswithbufferoverflowsthereareprimarilythreewaystoprotectagainstheapoverflows.SeveralmodernoperatingsystemssuchasWindowsandLinuxprovidesomeimplementationofallthree. Preventexecutionofthepayloadbyseparatingthecodeanddata,typicallywithhardwarefeaturessuchasNX-bit Introducerandomizationsotheheapisnotfoundatafixedoffset,typicallywithkernelfeaturessuchasASLR(AddressSpaceLayoutRandomization) Introducesanitychecksintotheheapmanager Sinceversion2.3.6theGNUlibcincludesprotectionsthatcandetectheapoverflowsafterthefact,forexamplebycheckingpointerconsistencywhencallingunlink.However,thoseprotectionsagainstpriorexploitswerealmostimmediatelyshowntoalsobeexploitable.[2][3]Inaddition,LinuxhasincludedsupportforASLRsince2005,althoughPaXintroducedabetterimplementationyearsbefore.AlsoLinuxhasincludedsupportforNX-bitsince2004. MicrosofthasincludedprotectionsagainstheapresidentbufferoverflowssinceApril2003inWindowsServer2003andAugust2004inWindowsXPwithServicePack2.Thesemitigationsweresafeunlinkingandheapentryheadercookies.LaterversionsofWindowssuchasVista,Server2008andWindows7include:Removalofcommonlytargeteddatastructures,heapentrymetadatarandomization,expandedroleofheapheadercookie,randomizedheapbaseaddress,functionpointerencoding,terminationofheapcorruptionandalgorithmvariation.NormalDataExecutionPrevention(DEP)andASLRalsohelptomitigatethisattack.[4] Seealso[edit] Heapspraying Stackbufferoverflow Exploit Shellcode References[edit] ^"MicrosoftSecurityBulletinMS04-028,BufferOverruninJPEGProcessing(GDI+)CouldAllowCodeExecution(833987)".Microsoft.14Sep2004.Retrieved29Mar2016. ^"TheMallocMaleficarum".Oct2005.Retrieved24April2017. ^"MALLOCDES-MALEFICARUM".2009.Retrieved29Mar2016. ^"Preventingtheexploitationofusermodeheapcorruptionvulnerabilities".Technetblog,MicrosoftSecurityResearch&Defense.4Aug2009.Retrieved29Mar2016. Externallinks[edit] Vudomalloctricks HeapOverflowarticleatHeiseSecurity DefeatingMicrosoftWindowsXPSP2HeapprotectionandDEPbypass Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Heap_overflow&oldid=1087973351" Categories:ComputersecurityexploitsSoftwareanomalies Navigationmenu Personaltools NotloggedinTalkContributionsCreateaccountLogin Namespaces ArticleTalk English Views ReadEditViewhistory More Search Navigation MainpageContentsCurrenteventsRandomarticleAboutWikipediaContactusDonate Contribute HelpLearntoeditCommunityportalRecentchangesUploadfile Tools WhatlinkshereRelatedchangesUploadfileSpecialpagesPermanentlinkPageinformationCitethispageWikidataitem Print/export DownloadasPDFPrintableversion Languages ČeštinaDeutschEspañolفارسیFrançais한국어ItalianoLombardPolskiPortuguês Editlinks