February 21, 2005

Beware the Buffer-Stack Overflow!

by roy

The what?

The buffer-stack overflow attack is an ingenious, if complex, method for hackers to seize control of your server.

So, what is a buffer stack overflow? Let’s say you’re working on a large document in an application that requires a lot of memory, and your PC freezes, and you get the “blue screen of death.” The source of this problem is often the buffer
stack, which is a data structure in the computer’s RAM memory that stores information and small executables for the operating system.

As your PC boots up, the OS begins storing certain files into memory. These are files that Windows or Unix must use while performing their routine tasks. They stack these files like small paper memos in an basket. By utilizing this stack, the OS
doesn’t have to search for the executables, function calls and data libraries each time it needs to perform a task. All of these are stacked up in RAM, like dishes, ready for the OS to fetch them when needed. Sometimes that buffer gets filled, though, and this causes the OS to crash.

Well, here’s a sick thought: suppose someone could cause that to happen to your server and then, in place of the OS data in the buffer, he substituted his own commands, like “delete”, or “install virus”? Even if you’re not a hard-tech type you should be aware of this technique.

Step One: Entrance

In order to mess with the buffer stack (cause an overflow or add commands), the hacker must have an entrance to the server. This can be done by covertly setting up back door software on the server, possibly by means of a Trojan horse, delivered
via an email message.

Step Two: Smashing the Stack

This is done by filling the stack with meaningless characters, like the letter “z”, until the stack overflows. Under normal circumstances, this would cause the operating system to crash, since it can no longer access some of the code necessary to perform its functions. But if the hacker wants to do more than crash the server, he can load machine language commands instead.

Step Three: Running Commands

The buffer stack overflow is a great way to command an operating system. It not only allows someone to insert commands, but to create a command shell. In UNIX for example, you can create a backdoor using inetd, and the outgoing port can be used to manipulate an X-Windows session. The code that the hacker inserts works on the same principle as popular communication software, like PCAnywhere. The basic code permits the user to take control of the monitor, keyboard and mouse services.

If the prize is big enough, a persistent hacker will succeed and eventually create, say, a backdoor inetd, and /etc/inetd.conf if he’s attacking a UNIX server. Then, he can run a command shell like /bin/sh. If it’s a Windows machine, he can create a program to call wininet.dll.

This is complicated, high-tech stuff that requires patience and expertise. Among the skills needed are C-Programming and a knowledge of machine language. However, the buffer-overflow attack has become quite popular recently with certain hackers,
because of its ability to insert code into the OS buffer stack.

For more detailed technical explanations, go to your favorite search engine and run a search on: “Buffer Overflows”. One of the items that will pop up is “Smashing the Stack for Fun and Profit” by someone named Aleph One. It’s a good read, especially if you’re familiar with C coding.

The SANS Institute also stays update on recently-discovered software “holes” that can lead to buffer stack overflows.

**************************************

Note: I’ve tried to limit the site references here to “safe” ones. There are numerous sites on the ‘net, set up by and for hackers. Professional security experts often visit these sites to download hacker software. Don’t do this unless you have taken a number of precautions. Many of these sites will record the IP addresses of all visitors, and these aren’t the kind of people who should have that kind of information!

If you’re interested in investigating these sites, or even downloading their software to become familiar with hacking methods, set up a separate “lab” network and use a different ISP than you use for your professional network.

***************************************

Defense

There are defenses against this form of attack, however.

For systems administrators:

Plug up all unused ports.

Otherwise, you’re just presenting one more opening to the hacker.

Monitor mailing lists.

Mailing lists can contain Trojan horse executables, which will enable the hacker to create the back door in a user’s workstation. And if there’s a modem attached to that workstation, and the hacker knows the number….

Regularly test and apply new vendor patches.

Check the Microsoft, Symantec and
other sites.

Shut off unnecessary processes (FTP, HTTP, etc).

If you don’t need a web server running, then you don’t need port 80.

Control outgoing as well as incoming traffic.

Hackers don’t just put data into your server. They take it out, like when they’re running Back Orifice.

For software developers, Ed Skoudis’ Counter
Hack advises:

Avoid programming mistakes involving the allocation of memory space.
The code review phase of development should specifically look for security-related mistakes

Finally, if you feel your server has been attacked in this manner, load the vulnerable software program, even if its the OS itself, onto a lab server and search the source code with a debugger.

————————–

Both AMD and Intel have said that they are adding hardware support to their processors to stop the exploitation of buffer overflows: in effect, adding the ability to make critical areas of memory incapable of holding code that will execute. The processor can read and write it as usual so a buffer overflow can happen, but if the compromised address tries to transfer control to within the buffer — where the virus lives — the processor will refuse and an error will be generated.

From
ZDNet News.

Questions? Discuss this in our Internet Business forums for help and advice

Story link: Beware the Buffer-Stack Overflow!

Add to Bookmarks: