buffer overrun?

[bronyrstomp]

Can you please explain what a buffer overrun is. How, what, and why it is used to exploit a system.
The vastest things are those we may not learn.
We are not taught to die, nor to be born,
Nor how to burn
With love.
How pitiful is our enforced return
To those small things we are the masters of.
                          - Mervyn Peake

 

[greatkingrat]

Typically programmers have a tendency to define a
constant size array to receive a string, like this :
char buf[256];

For this case, if you want receive a user's name,
the program can have the potential error when
a user supply a name which exceeds 255 bytes
( with 1 byte for null termination character ).
It will cause buffer overrun. Why it is serious
is that,

buf[256] = 0; buf[257] = 0; ...
They are illeagally access some memory blocks and
it will spoil some data.

There were some old Unix systems which receive
a user's login name in a constant size buffer and
when a user send many characters to login name,
the system is died. It's a simple buffer-overrun
attack.
Modern systems doen't have such problems but buffer overrun is the most fundamental problem which causes potential bugs in a program.

Hee S. Chung
heesc@netian.com

http://www.netian.com/~heesc