Hey guys, newbie here.
In your opinion, is studying stack based buffer overflows still relevant nowadays? I mean with stack protection compilation by default, and other memory security measures in modern Linux and Windows systems?
Do you know if this kind of vulnerabilities are still being developed and exploited “in the wild” ?
Thank for answering,
IMHO you always should learn and master the basics before continuing with the “next level”. Otherwise you will encounter things on your journey which you do not understand but should have knowledge of!
Stack based buffer overflows belong to the basics and have been spotted in the wild ever since they first became public knowledge.
If I check the last submitted entries on ExploitDB there are quite a bunch of submissions for buffer overflows. Mostly for older operating systems or software versions though. This is due to the already mentioned fact that things are getting hardened and more difficult to exploit via basic techniques.
But, do you want to learn all the basics, where it started and how it evolved with only a certain possibility for later usage of that knowledge? Then it’s totally relevant. Look at it as academically and personally relevant.
That said especially in the IoT world many if not most devices there run on older hardware with ancient kernels (2.6.X) and outdated software. Often with not enough space or even capabilities to update those. So for someone researching these devices buffer overflows might be a necessary form of craftsmanship to know because exploit mitigations are seldom present either.
If your target is the hottest new software on the hottest new OS with the latest fresh security updates stack based buffer overflows most likely will not be the way to go (who knows though ), but the knowledge you learned along the way when starting from the bottom moving to new exploitation techniques will be more than helpful.
Sure. It’s quite hard for buffer overflow vulnerabilities to be found and exploited. You cannot just input something to a program to cause buffer overflow with no understanding what you are doing. Basically, it usually takes much more time to get the program to accept some input, and vulnerability research is required for that, which requires patience and motivation. It’s easy in examples only.
I’d say that training your programming skills will help you, that’s the point where your programming skills are important, especially C.
I would like to point out that although there are all these fancy new exploitation protection mitigations, it still does not excuse the fact that they should not be relied upon 100% of the time. This may be news to you but there are ways to bypass stack cookies even though there is a buffer overflow vulnerability. AFAIK, under Windows, stack cookies are not present in functions other than where there are string buffers meaning that if you have an array of any other data type, a buffer overflow exploit is possible. Another way to bypass stack cookies is by leveraging the SEH or by overwriting a (C++) class’s virtual table’s method (this is protected by CFG/CFI but not all programs are compiled with this! e.g. Steam, Discord, Firefox…).
If you intend to learn exploitation, I would highly advise you to learn them anyway, not only because they are one of the easier concepts to grasp but because they will help you understand the stack a bit more if you aren’t already familiar with it. Remember that it’s not as simple as it was 10 years ago where a single buffer overflow that took 10 minutes to develop would own the program, it requires much more effort and should be important to learn as many techniques as you can.
I just want to point out that it actually is still relevant today, even in modern software equipped with all the latest mitigations. For example in his 35c3 talk, Modern Windows Userspace Exploitation Saar Amar uses arbitrary r/w primitive to overwrite return address on stack (which is literally what stack overflows are mostly all about) to bypass the latest mitigations. Ofc it’s much more complicated than a simple buffer overflow, but studying those simple techniques gives you a better understanding and feel on what you can do with a program.
Yes it is certainly relevant. Return pointer isn’t the goal everytime. There are whole bunch of other variables and structures on a function stack that you can exploit, to make your application misbehave. So it’s all up to imagination.