Buffer overflow attack-vulnerability warning-the black bar safety net

ID MYHACK58:62200818687
Type myhack58
Reporter 佚名
Modified 2008-04-02T00:00:00


Buffer overflow is a variousoperating system, application software widespread common and dangerous vulnerability, using a buffer overflow attack may cause a program to fail, system crash and other consequences. More seriously, you can use it to perform unauthorized instructions, and even acquire system privileges, and then carry out various illegal operations. The first buffer overflow attacks-Morris worm, which occurred in ten years ago, it had caused around the world 6 0 0 0 multiple network servers to a standstill.

A buffer overflow works:

When the normal operation of the user program, the operation carried out generally does not exceed the program's operating range; and the hacker has use of the buffer length of the boundaries to the program in the input beyond its conventional length of the content, resulting in a buffer overflow thereby destroying the program stack, so that the program is running there are special problems in turn execute other instructions, in order to achieve the attack purpose. Caused by buffer overflow of the reason is that the program did not carefully check the user input parameters, belongs to the program development process is ill-considered to the results.

Of course, just to buffer to fill in something causing it to overflow usually only occurs“segmentation fault”is Segmentation fault, and can not achieve the attack purpose. The most common means is by producing a buffer overflow causes the program to run a user shell, and then through the shell to execute other commands. If the program belongs to root and has suid permissions, the attacker will get a root access shell, and the system can be any operation.

Buffer overflow attacks have become a common security attacks means the reason is that the buffer overflow vulnerability universal and easy to implement. And buffer overflows to become a remote attack the main means of the reason is that buffer overflow vulnerabilities give the attacker what they want of everything: the implantation and execution of the attack code. Is implanted attack code to a certain permissions to run a buffer overflow vulnerability in the program, resulting in being attacked host control.

In 1 9 9 8 year Lincoln laboratory used to assess theintrusion detectionthe 5 kinds of remote attacks, there are 2 kinds of is the buffer overflow. And in 1 9 9 8 year CERT 1 3 proposal, there are 9 parts is the buffer overflow-related, in 1 9 9 9 years, at least half of the recommendations are, and buffer overflow. In Bugtraq survey, 2/3 of respondents believe that the buffer overflow vulnerability is a very serious security issue.

Buffer overflow vulnerability and attack with a variety of forms, in the second section for their description and classification. Accordingly means of Defence but also with those methods of attack and different, will be in fourth section describes, its contents includes for each type of attack effective Defense means.

Second, the buffer overflow vulnerabilities and attacks:

A buffer overflow attack aims to disrupt with certain privileges to run the program's features, this can allow the attacker to obtain the program control, if the program has sufficient permissions, then the entire host is controlled. Its specific implementation process is this: first of all the attacker to the ROOT program for exploratory attacks, and then perform similar to“exec(sh)”code execution to obtain a root shell. In order to achieve this objective, the attacker must achieve the following two goals:

1, in the program's address space to arrange the appropriate code;

2, through appropriate initialization of the registers and memory, allowing the program to jump to the intruder to arrange the address space of the execution.

According to the two target of buffer overflow attacks classify buffer overflow attacks into code arrange and control program execution process in two ways:

1, in the program's address space to arrange the appropriate code to the method:

  1. the implant method:

The attacker to the attacked program input a string, the program will put this string into the buffer. This string contains information is available in this is attack of running on the hardware platform of the sequence of instructions. Here, the attacker is to attack the program of the buffer to store the attack code. The buffer area may be provided in any place: stack stack, automatic variables, the heap, the heap, the dynamically allocated memory area and static data areas.

(2)The use of already existing code:

Sometimes an attacker wants to code already in the attack procedure, the attacker has to do is just to code to pass some parameters. For example, the attack code requires the implementation of exec (“/bin/sh”), and in libc in the library code executes exec (arg), where arg so that a pointer to a string pointer parameter, then the attacker as long as the incoming argument pointer is modified to point to/bin/sh.

2, The control program is transferred to the attack Code of the method:

All of these methods are seeking to change the program execution flow, making it jump to the attack code. The most basic is the overflow of a no border checks or other weakness of the buffer zone, thus disturbing the program's normal execution order. By overflowing a buffer, the attacker can use violent methods to rewrite the adjacent program space and skip the system check.

The classification reference is the attacker looking for a buffer overflow program space type. In principle can be any space. In fact, many of the buffer overflows is to use violent methods to seek to change the program pointer. This program differs is that the program space of the break and the memory space of the positioning different.

Mainly in the following three ways: 1, the active record Activation Records: the

Whenever a function call occurs, the caller will be in the stack to leave an event record, which contains the end of the function when the return address. The attacker overflows the stack in automatic variables, so that the return address pointing to attack code. By changing the program of the return address when function call ends, the program jumps to the attacker to set the address, instead of the original address. This type of buffer overflow is known as stack overflow attack, Stack Smashing Attack, is currently the most common buffer overflow attacks.

3, a function pointer Function Pointers: the

A function pointer can be used to locate any address space. For example:“void (* foo)()”declares a return value of void function pointer variable foo. So an attacker simply in any space the function pointer is found near one to be able to overflow the buffer, and then overflow the buffer to change the function pointer. In a moment, when the program through a function pointer when the function is called, program flow will press the attacker's intent. It's an attack example is in the Linux system under the superprobe program.

4, the long jump buffer, Longjmp buffers: the

In the C language contains a simple test/recovery system, known as setjmp/longjmp in. Mean in the test point set“setjmp(buffer)”with“longjmp(buffer)”to restore the checkpoint. However, if an attacker is able to enter the buffer space, then“longjmp(buffer)”is actually a jump to the attacker code. Like function pointers, like, longjmp buffer can point to anywhere, so an attacker needs to do is find the one for the overflow of the buffer. A typical example is the Perl 5.003 buffer overflow vulnerability; an attacker first enters to restore the buffer overflow of the longjmp buffer, and then induced to enter the recovery mode, This allows the Perl interpreter to jump to the attack code.

2, The code implant and process control technology for the comprehensive analysis:

The most simple and common buffer overflow type of attack is in a string combination Code of the implant and the activity record technology. The attacker's positioning for the overflow of an automatic variable, then the program passes a very large string, in initiator buffer overflows, change the active record at the same time implant the code. This is by Levy pointed out that the attack template. Because C is in the habit on only for the user and the parameters to open up a small buffer, so this vulnerability to attack examples of the very common.

Code implant and buffer overflow not necessarily have to be in on the action once completed. The attacker can be in one buffer is placed within the code, which can not overflow the buffer. Then, the attacker through the overflow another buffer to transfer the program pointer. This method is generally used to solve for the overflow of the buffer is not big enough not to put down all of the code.

If an attacker tries to use already-resident code instead of from the outside the implant code, they usually have to put the code as a parameter to call. For example, in libc-almost all C programs have to it to connect the portion of the code snippet will execute the“exec(something)”, where somthing is the parameter. The attacker then uses a buffer overflow to change the program parameters, and then use another buffer overflow causes the program pointer to the libc specific code. Third, buffer overflow attacks experimental analysis:

2 0 0 0 years, 1 months, Cerberus security team released a Microsoft IIS 4/5 There is a buffer overflow vulnerability. The attack of this vulnerability can make theWeb servercrash, or even get Super privileges to execute arbitrary code. Currently Microsoft IIS 4/5 is a mainstreamWeb serverprogram; thus the buffer overflow vulnerability for the website's security constitute a great threat; it is described as follows:

Browser to IIS made a HTTP request, the domain name or IP address, plus a file name, the file name to“. htr”do suffix. So IIS thinks the client is requesting a“. htr”file“. htr”extension file to be mapped into the ISAPI Internet Service API application, IIS will be reset to all“. htr”to the requested resource to ISM. DLL program, ISM.DLL open this file and execute it.

The browser submits a request contained in the file name is stored in the local variable buffer, if it is very long, more than 6 0 0 characters, will result in the local variable buffer overflow, overwriting the return address space so that the IIS crash. Further in the 2K buffer in the implantation of a section of well designed code, you can make it to system Super permissions to run. Fourth, the buffer overflow attack prevention method:

Buffer overflow attacks account for a remote network attack the majority of, this attack can be such that an anonymous Internet user have access to a host of part or all of the control. If you can effectively eliminate the buffer overflow vulnerability, a large part of the security threats can be mitigated.

There are currently three basic methods of protecting buffers against buffer overflow attacks and effects:

1, through theoperating systemso that the buffer is not performed, thereby preventing an attacker implanted attack code; 2, forced to write the right code method; 3,With compiler bounds checking to achieve a buffer protection, so that buffer overflow can not occur, thereby completely eliminating the buffer overflow threat.