Vulnerability Management - Buffer Overflow vs. Heap Spraying

In 2017, WannaCry ransomware attack exploited CVE-2017-0143 and CVE-2017-0148 in SMBv1 using Eternal Blue exploit.

3 vulnerabilities were chained in the following order:

1. Integer Overflow
2. Buffer Overflow
3. Heap Spraying

--> Buffer Overflow

1. Definition: A buffer overflow occurs when a program writes more data to a block of memory (the buffer) than it was allocated for. This can lead to overwriting adjacent memory.

2. Mechanism:
- Typically involves a stack or fixed-size buffer.
- When a program does not properly check the size of input data, it can overwrite the return address, function pointers, or other critical data structures.
- This can lead to arbitrary code execution, allowing an attacker to gain control of the program.

3. Common Causes:
- Poor input validation.
- Using unsafe functions (like `strcpy`, `gets`, etc.) that do not check buffer sizes.

4. Targets: Primarily targets stack-based memory structures.

--> Heap Spraying

1. Definition: Heap spraying is a technique used to exploit vulnerabilities by allocating large amounts of memory on the heap and filling it with the attacker’s code (payload).

2. Mechanism:
- Involves creating multiple instances of the same data (often shellcode) in dynamically allocated memory (the heap).
- When a vulnerability allows execution from the heap (e.g., through a use-after-free or other heap corruption), the attacker hopes that the code will execute from the sprayed areas.

3. Common Causes:
- Exploits vulnerabilities that allow control over the allocation and usage of heap memory.
- Can be used in conjunction with other vulnerabilities (like JavaScript vulnerabilities in web browsers).

4. Targets: Primarily targets dynamically allocated memory (the heap).

--> Key Differences:

- Location: Buffer overflows typically exploit stack memory, while heap spraying targets heap memory.

- Exploitation Technique: Buffer overflow directly overwrites memory locations to control execution flow, whereas heap spraying prepares memory with attacker-controlled data to increase the chances of executing malicious code when a vulnerability is triggered.

- Complexity: Buffer overflow exploits tend to require more detailed knowledge of memory layout and can be more straightforward, while heap spraying is often used in more complex scenarios to bypass security measures like DEP (Data Execution Prevention).

Please find the URLs below for more details:
https://andyrussellcronin.wordpress.com/2012/04/13/understanding-heap-spraying/

https://www.sentinelone.com/blog/eternalblue-nsa-developed-exploit-just-wont-die/

Happy Learning !!
hashtag#VulnerabilityManagement hashtag#CyberSecurity