How We Solved the Buffer Overrun Problem

  • Reading time:7 mins read
  • Post comments:0 Comments

We recently worked with one of our customers to solve a buffer overrun problem. After the problem was solved, I spoke with Adrian, the developer of the application, to find out more about the issue and how we were able to help him resolve it.

Adrian: “The problem was in a part of our application that is accessed by all our users, so we had no idea what user action triggered the error.”

“We tried to reproduce the problem using the same version of our application as one of our users but weren’t able to do so. So we grabbed the latest version from our development environment and tried again. But this time everything worked without problems.”

“It was clear that there had been some code changes between the two versions that resolved the problem but what we couldn’t figure out was what those changes were.”

“So we went back to each user who experienced a problem and asked them if they could run a debugging version of our application for us. We also asked them to try reproducing the error so that we could see what they were doing when it happened.”

“Using this information, we were able to reproduce the error on many different machines, which gave us confidence that we were looking at a specific case rather than just random behaviour.”

A client of ours recently experienced an issue that we wanted to share with you, as it might be something other customers encounter. The client is a Content Management System (CMS) provider for a number of websites. Their solution is built upon ASP.NET 2.0 and uses the Telerik Web controls extensively.

The problem the client was experiencing was “buffer overruns” were occurring in their application on a random basis. The error they would get would be something like this:

A buffer overrun has occurred in http://www.whateveryourwebsiteis.com which has corrupted the program’s internal state. Pressing Break will terminate the program. Pressing Continue will ignore this error and attempt to continue. [Continue] [Break]

The problem only occurred in their production environment and not their development or staging environments. Because the production environment is on a different server than development, they were able to rule out IIS or environment settings being an issue at all (since they were hosting multiple sites on the same server).

A little over a month ago, we got an urgent call from a client that had been hacked. Their Google ads were being redirected to malware sites, and their customers were upset. After investigating the code, we found a malicious script injected into the site’s template files. The hack was through an old version of an image resizing component they were using; this component had a buffer overrun vulnerability that allowed arbitrary code execution.

The client was running an outdated version of the component. They had not updated it in years because they didn’t want to risk breaking the application. They weren’t alone, as we soon learned.

The next day, another client called with the exact same problem. We investigated and found that their server had also been hacked through the exact same component vulnerability. We quickly realized that we had a serious problem on our hands: hundreds of our clients were using vulnerable versions of this component and could be hacked at any time!

It was clear we needed to make sure all our clients were patched immediately. But that wasn’t going to be easy: for one thing, many of our clients use custom versions of the component and some are running versions so old we can’t find them anymore – but even if they are all still available (and compatible with newer PHP versions

A client of ours was having some problems with their website. We investigated and found out that a hacker had injected some malicious JavaScript into one of their pages. They were able to fix it, and we were happy to help them ensure that the problem didn’t happen again.

Coding has changed a lot in the last 30 years. In the 80s, when I was just starting out, we coded in assembly language. We had no abstraction layers between our code and the machine; every instruction mattered, so we had to be extremely careful. Buffer overruns were one of the biggest issues we had to deal with back then. But modern languages like Java and C

For the last couple of years, we’ve been using a very good product from Dotfuscator Software Services, Inc. called “Dotfuscator.” The product allows you to embed licensing information into your .NET assembly, and then protect it from reverse engineering.

The problem was that when you update an existing license with a new expiration date, the assembly gets noticeably bigger. If it’s already close to being too big to fit into a buffer on the client machine (this can happen if you have a lot of code), then the license renewal might push it over the edge.

The fix is pretty easy; I just followed the example on their website on how to use custom attributes. You basically write a custom attribute class that contains all your licensing information and tell the obfuscator not to obfuscate it. Then, when you update the license, only the custom attribute changes size, so there are no problems with buffer overruns anymore.

Last week we launched a new project that had been in the works for about a month. I’m happy to report that everything went smoothly and the client was pleased with the work. However, there were some challenges along the way, one of which almost ruined the launch.

As you can see from this screenshot, the page is displaying a list of names. The client wanted each name to be a hyperlink to an individual profile page. They also wanted every other name to be in a different color than the previous name.

The only tricky thing is that we were not allowed to use any HTML or Javascript on this page (it’s long story). So we had to find another way of making the names appear in alternating colors. Also, since the links were being added dynamically, we couldn’t just use CSS to set up different styles for even numbered rows versus odd numbered rows.

Our solution was to establish two different styles (for even and odd rows) and then add a class attribute to each link tag using PHP code as follows:

The company had a custom-built web application that was having some problems. Buttons weren’t showing up properly, data wasn’t being updated properly, etc. It seemed like a simple issue, but as we began to dig in it became clear that the issue was more complex than we originally thought.

The problem was coming from a template engine they were using to render their web pages. The template engine would take the HTML you wanted to render and replace any instances of {{var}} with the value of var in the code. However, if you didn’t escape your user input, then users could inject malicious code into your templates. For example, let’s say you have an endpoint for creating blog posts with a body field for the main content. Normally if you want to add emphasis to text, you might write: “I really love programming”. If you rendered this template without escaping the content first, then somebody could post something like “I {{content}} love programming” and suddenly your entire application is vulnerable to cross-site scripting attacks (XSS).

To solve this problem they implemented a JS library called Handlebars which they used instead of their custom solution. This took care of all the bugs they were experiencing and also prevented them from having

Leave a Reply