Section 5.7 Buffer Overflows or Stamping on Memory with gets()

5.7 Buffer Overflows or Stamping on Memory with gets()

One of the most common ways that intruders break into a Linux box is by using what is called a buffer overflow. This is just what it sounds like. Some programmer made a mistake and failed to limit the amount of data that someone can load into the program's memory that is reserved for the buffer. The subsequent bytes go into subsequent memory, overflowing (destroying) what was in that memory before. When that memory is read again, it has whatever the person using the program put there. This is patching a program at the most sophisticated and evil level.

It is common programming practice in C to allocate many buffers in memory on the stack and the stack also is used to store subroutine return addresses. This allows a clever cracker to cause the subroutine to "return" to wherever he likes, typically to his own code located elsewhere in this buffer. In other cases the variables on the stack are manipulated to effect a break-in.

A buffer overflow attack can be recognized if the system manages to log it by the presence of long input fields supplied with plenty of nonprintable characters. This was my New Year's Day 1999 present.

 Jan  1 00:59:41 rabbit mountd[351]: Unauthorized access by NFS client 206.132.153.48. Jan  1 00:59:41 rabbit syslogd: Cannot glue message parts together Jan  1 00:59:41 rabbit mountd[351]: Blocked attempt of 206.132.153.48 to mount ^P^P^P^P^P^P^P^P^P^P [a total of about 460 ^P characters] Jan  1 00:59:41 rabbit ^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E... 

This had been reported by CERT Advisory CA-98.12, available at

www.cert.org/advisories/CA-98.12.mountd.html

In CGI programs, long input strings with lots of %xy encodings indicate intrusions or attempts to get around content filtering. A program for "unhexing" such text hidden by %xy encoding is provided in "Unhexing Encoded URLs" on page 290.