1. CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks

2. Smashing The Stack For Fun And Profit : http://www.phrack.org/show.php?p=49&a=14 http://www.phrack.org/show.php?p=49&a=14 Analysis of Buffer Overflow Attacks: http://www.windowsecurity.com/articles/Analysis_of_Bu ffer_Overflow_Attacks.html http://www.windowsecurity.com/articles/Analysis_of_Bu ffer_Overflow_Attacks.html http://searchsecurity.techtarget.com/searchSecurity/do wnloads/ExploitingSoftware-Ch07.pdf http://searchsecurity.techtarget.com/searchSecurity/do wnloads/ExploitingSoftware-Ch07.pdf What is a buffer overflow? Broadly speaking, buffer overflow occurs anytime the program writes more information into the buffer than the space it has allocated in the memory. This allows an attacker to overwrite data that controls the program execution path and hijack the control of the program to execute the attacker’s code instead the process code.

3. Process Memory When a program is executed, its various compilation units are mapped in memory in a well-structured manner. The text segment contains primarily the program code, i.e., a series of executable program instructions. The next segment is an area of memory containing both initialized and uninitialized global data. Its size is provided at compilation time. Going further into the memory structure toward higher addresses, we have a portion shared by the stack and heap that, in turn, are allocated at run time. The stack is used to store function call-by arguments, local variables and values of selected registers allowing it to retrieve the program state. The heap holds dynamic variables. To allocate memory, the heap uses the malloc function or the new operator.

4. What is the stack used for? The stack works according to a LIFO model (Last In First Out). Since the spaces within the stack are allocated for the lifetime of a function, only data that is active during this lifetime can reside there. Only this type of structure results from the essence of a structural approach to programming, where the code is split into many code sections called functions or procedures. When a program runs in memory, it sequentially calls each individual procedure, very often taking one from another, thereby producing a multi-level chain of calls. Upon completion of a procedure it is required for the program to continue execution by processing the instruction immediately following the CALL instruction. In addition, because the calling function has not been terminated, all its local variables, parameters and execution status require to be “frozen” to allow the remainder of the program to resume execution immediately after the call. The implementation of such a stack will guarantee that the behavior described here is exactly the same.

5. Function calls The program works by sequentially executing CPU instructions. For this purpose the CPU has the Extended Instruction Counter (EIP register) to maintain the sequence order. It controls the execution of the program, indicating the address of the next instruction to be executed. For example, running a jump or calling a function causes the said register to be appropriately modified. Suppose that the EIP calls itself at the address of its own code section and proceeds with execution. What will happen then? `When a procedure is called, the return address for function call, which the program needs to resume execution, is put into the stack. Looking at it from the attacker’s point of view, this is a situation of key importance. If the attacker somehow managed to overwrite the return address stored on the stack, upon termination of the procedure, it would be loaded into the EIP register, potentially allowing any overflow code to be executed instead of the process code resulting from the normal behavior of the program. We may see how the stack behaves after the code of Listing 1 has been executed.

6. Types of Buffer Overflow Attacks Denial of Service Attack by causing the machine to crash – if enough information can be overwritten in memory the system can not function and the OS will crash Gaining Access – by overwriting enough information on the stack and the overwrite the return pointer can cause the pointer to point to attacker’s code instead of the actual program Programs are vulnerable due to lack of error checking. Should add bounds checking to programs.

7. Ten Buffer Overflow Attacks NextMeeting BufferOverflow Attacker sends a victim a specially crafted SpeedDial link; when the victim clicks on the SpeedDial link to supposedly connect to a remote system, the input that is located in the link causes a buffer overflow attack, which can be used to run arbitrary code on the victim’s system. http://www.cse.msu.edu/~westrant/symlink/pages/exploits/overflows.ht m http://www.cse.msu.edu/~westrant/symlink/pages/exploits/overflows.ht m Protection – Apply patches Outlook Buffer Overflow Attacker sends an email with a malformed header that causes a buffer overflow; it has two variations: crash the victim’s machine or cause arbitrary code to run on the victim’s computer; an easy way to plant a backdoor on a machine; some launched when attachment opened and some launched when email was downloaded; nasty because it leaves a copy on the mail server; thus, each time you check your mail, an overflow can occur. http://www.microsoft.com/technet/security/bulletin/MS00-043.mspx Protection – Re-install newer patched version of Outlook or install appropriate service pack

8. Ten Buffer Overflow Attacks Linuxconf Buffer Overflow Linuxconf is a system administrator’s tool which opens a port for remote access; runs on port 98; if the attacker inserts too much information in the HTTP header, it causes a buffer overflow on the victim’s machine. http://www.linuxsecurity.com/advisories/other_advisory-2315.html Protection It should only be run on a local host if possible If Internet or remote access is needed should be run over an encrypted link or the firewall should limit which addresses can connect Apply patches ToolTalk Buffer Overflow Unix and Unix-derivative systems; remote buffer overflow that allows arbitrary code to be run in superuser privileges on the target machine; attacker connects to ToolTalk RPC service and sends it a message whose signature overflows an internal buffer in the program and causes it to execute instructions contained in the message. http://www.ciac.org/ciac/bulletins/m-109.shtml Protection Apply Patches Disable vulnerable service

9. Ten Buffer Overflow Attacks IMPAD Buffer Overflow Internet Message Access Protocol (IMAP) on mail server (on port 143); attacker connects to the IMAPD mail service and sends it a specific message which overflows an internal buffer that causes instructions in the message to be executed; the attacker issues and oversized AUTHENTICATE message larger than 1024 bytes; attacker then runs at the privilege of IMAP. http://www.ciac.org/ciac/bulletins/m-085.shtml Protection Upgrade to a newer version of IMAPD Apply vendor patches Configure firewall to reject incoming TCP connections to port 143 AOL Instant Messenger (AIM) Buffer Overflow The AIM URL protocol connects AIM:// URLs to the AIM client; a buffer overflow can occur when parsing the URL parameters; can be activated just by typing the AIM::// URL in a browser window; it is a significant problem because AIM is bundled into other software like Netscape. http://www.securiteam.com/windowsntfocus/5FP071P75S.html Protection AOL is blocking this on the server side. With time they might also produce a client side fix..

10. Ten Buffer Overflow Attacks AOL Instant Messenger BuddyIcon Buffer Overflow stack overflow occurs if the source parameter is more than 3000 characters http://www.securityfocus.com/bid/2122 http://www.securityfocus.com/bid/9257 Windows 2000 ActiveX Control Buffer Overflow unchecked buffer in the System Monitor ActiveX Control; can be exploited remotely through a web browser or an HTML-compliant email, only if ActiveX is enabled in the browser or mail client; depending on the data supplied, the attacker can execute arbitrary code on the victim’s machine. http://www.microsoft.com/technet/security/bulletin/MS0 3-042.mspx http://www.microsoft.com/technet/security/bulletin/MS0 3-042.mspx

11. Ten Buffer Overflow Attacks IIS 4.0/5.0 Phone Book Server Buffer Overflow this is the phone book service of AOL; overflow occurs when the PB parameter of the query string is too long; filling this parameter with uppercase As causes the inetinfo process to crash the victim’s system. http://seclists.org/lists/bugtraq/2000/Dec/0067.html Protection If you do not need the Phone Book Service you should remove pbserver.dll. Users of the Phone Book Service should download and install the patch provided by Microsoft SQL Server 2000 Extended Stored Procedures Buffer Overflow clients can issue extended called procedures through a normal SQL Server query; some of these stored procedures are vulnerable to buffer overflow attacks by an unauthorized user. http://support.microsoft.com/default.aspx?scid=kb%3Ben- us%3BQ280380 http://support.microsoft.com/default.aspx?scid=kb%3Ben- us%3BQ280380 http://www.symantec.com/avcenter/security/Content/1865-6.html

12. General Protection Against Buffer Overflow Attacks Close the port or service Know what is installed on your system and have the least amount of services running and ports open that are required for the system to operate in a specific environment Apply the vendor’s patches or install the latest version of the software Filter specific traffic at the firewall Test key applications Run software at the least privilege required