buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with extra overflowing and overwriting possibly critical information crucial to the normal execution of the program. Consider the following source code:
-
- When the source is compiled and turned into a program and the program is run, it will assign a block of memory 32 bytes long to hold the name string.
#include int main ( ) { char name[31 ] ; printf("Please type your name: "); gets(name) ; printf("Hello, %s", name) ; return 0;
Buffer overflow will occur if you enter:
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity.
In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information.
Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Once a programmer has found a buffer overflow situation, then it is necessary to create a buffer of hex characters that represent assembled code instructions. The programmer then creates a C program that executes the target program, overflows the buffer by inserting the hex code to be executed.
- Netmeeting 2.x exploit
- NT RAS Exploit
- IIS Hack
- Oracle Web Exploit
- Outlook Exploit
- IIS.printer
You may find details of a few known buffer overflow exploits at the URLs mentioned below:
- Netmeeting 2.x exploit (http://www.cultdeadcow.com/cDc_files/cDc -351/)
- NT RAS Exploit (http://www.cerberus-infosec.co.uk/wprasbuf.html)
- IIS Hack (http://www.eeye.com)
- Oracle Web Exploit (http://www.cerberus-infosec.co.uk/advowl.html)
- Outlook Exploit (http://www.ussrback.com/labs50.html)
- IIS .printer (http://www.securityfocus.com/bid/2674)
- Buffer overflow vulnerabilities are inherent in code due to poor or no error checking.
- General ways of protecting against buffer overflows:
- Close the port of service
- apply vendors patch or install the latest version of the software
- Filter specific traffic at the firewall
- Test key application
- Run software at the least privilege required
-
General ways of protecting against buffer overflows include:
- Close the port of service: Keep track of vulnerability reports from sources like CERT, bugtraq and take preventive measures such as blocking the port in question.
- Apply vendors patch or install the latest version of the software: The next step should be to apply hotfix or patches from a reliable source.
- Filter specific traffic at the firewall: All suspicious traffic should be routed at the perimeter itself.
- Test key application: Key applications should be tested for boundary conditions before being put into production.
- Run software at the least privilege required: No unnecessary privileges should be granted to users or applications. This is a best practice.
0 comments:
Post a Comment