Example Sins

Previous page
Table of content
Next page

The following entries, which come directly from the Common Vulnerabilities and Exposures list, or CVE (http://cve.mitre.org), are examples of buffer overruns. An interesting bit of trivia is that as of this writing, 1,734 CVE entries that match buffer overrun exist. A search of CERT advisories, which document only the more widespread and serious vulnerabilities, yields 107 hits on buffer overrun .

CVE-1999-0042

From the CVE description: Buffer overflow in University of Washingtons implementation of IMAP and POP servers.

This CVE entry is thoroughly documented in CERT advisory CA-1997-09, and involved a buffer overrun in the authentication sequence of the University of Washingtons Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) servers. A related vulnerability was that the e-mail server failed to implement least privilege, and the exploit granted root access to attackers . The overflow led to widespread exploitation of vulnerable systems.

Network vulnerability checks designed to find vulnerable versions of this server found similar flaws in Seattle Labs SLMail 2.5 as reported at www.winnetmag.com/Article/ArticleID/9223/9223.html.

CVE-2000-0389CVE-2000-0392

From CVE-2000-0389: Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges.

From CVE-2000-0390: Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges.

From CVE-2000-0391: Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges.

From CVE-2000-0392: Buffer overflow in ksu in Kerberos 5 allows local users to gain root privileges.

This series of problems in the MIT implementation of Kerberos is documented as CERT advisory CA-2000-06, found at www.cert.org/advisories/CA-2000-06.html. Although the source code had been available to the public for several years , and the problem stemmed from the use of dangerous string handling functions (strcat), it was only reported in 2000.

CVE-2002-0842, CVE-2003-0095, CAN-2003-0096

From CVE-2002-0842:

Format string vulnerability in certain third-party modifications to mod_dav for logging bad gateway messages (e.g., Oracle9i Application Server 9.0.2) allows remote attackers to execute arbitrary code via a destination URI that forces a 502 Bad Gateway response, which causes the format string specifiers to be returned from dav_lookup_uri() in mod_dav.c, which is then used in a call to ap_log_rerror().

From CVE-2003-0095:

Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i, 8.1.7, and 8.0.6 allows remote attackers to execute arbitrary code via a long username that is provided during login as exploitable through client applications that perform their own authentication, as demonstrated using LOADPSP.

From CAN-2003-0096:

Multiple buffer overflows in Oracle 9i Database Release 2, Release 1, 8i, 8.1.7, and 8.0.6 allow remote attackers to execute arbitrary code via (1) a long conversion string argument to the TO_TIMESTAMP_TZ function, (2) a long time zone argument to the TZ_OFFSET function, or (3) a long DIRECTORY parameter to the BFILENAME function.

These vulnerabilities are documented in CERT advisory CA-2003-05, located at www.cert.org/advisories/CA-2003-05.html. The problems are one set of several found by David Litchfield and his team at Next Generation Security Software Ltd. As an aside, this demonstrates that advertising ones application as unbreakable may not be the best thing to do whilst Mr. Litchfield is investigating your applications.

CAN-2003-0352

From the CVE description:

Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/ LovSAN and Nachi/ Welchia worms.

This overflow is interesting because it led to widespread exploitation by two very destructive worms that both caused significant disruption on the Internet. The overflow was in the heap, and was evidenced by the fact that it was possible to build a worm that was very stable. A contributing factor was a failure of principle of least privilege: the interface should not have been available to anonymous users. Another interesting note is that overflow countermeasures in Windows 2003 degraded the attack from escalation of privilege to denial of service.

More information on this problem can be found at www.cert.org/advisories/ CA-2003-23.html, and www.microsoft.com/technet/security/bulletin/MS03-039.asp.


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
C++ GUI Programming with Qt 3
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
GO! with Microsoft Office 2003 Brief (2nd Edition)
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy