14.2. Buffer Overflow

14.2. Buffer Overflow

Buffer overflow is one of the most popular and widespread yet one of the most difficult-to-use vulnerabilities. First, consider why programmers commit errors that make buffer overflow possible.

Programming languages like C++ allocate a memory buffer of a certain size for working with the data supplied by the user. User data are placed into the buffer by simply copying them to it. Most programmers calculate the maximum size of data that can be passed by a user to the program and allocate this much memory, perhaps with a little to spare, for the buffer. Most of them do not check for the exact size of the data entered by the user .

This makes it possible to pass the program too much information, which will simply not fit into the memory allocated to hold it and cause a program crash.

How can too much passed information crash a program? I will not burden you with programming and machine code intricacies, but simply consider a simplest buffer overflow example. A program can be thought of as occupying a single continuous memory block as follows :

 Code Code A 50-byte data buffer Code Code 

As you can see, the programmer allocated 50 bytes for the buffer to store user data, and placed this buffer in the middle of the code. But what will happen if the user passes , for example, 70 bytes to the program instead of 50 bytes? In this case, the extra data will overwrite the program code following the buffer. When the time comes to execute the code following the buffer, there will be no code to execute and the program will crash.

In older Windows versions, some buffer overflow bugs could crash the operating system itself. Windows 2000, XP, and Linux are hardened against buffer overflow errors and are more difficult to crash. But programs still crash.

The program crashing itself is only half the trouble. The other half is that experienced hackers can pass such data to the program, in which the first part, corresponding to the buffer size, is trash while the part following it is executable code written by the hacker to perform certain operations. This will make the program code look as follows:

 Code Code A 50-byte data buffer Hacker's code Hacker's code 

In this case, the buffer overflow will cause much greater damage than a simple program crash. If the program executes with root privileges, the hacker's code can perform any operations that require root privileges.

Buffer overflow bugs are becoming less common because of automatic code-checking utilities, but many of them are still around. There aren't that many good hackers able to use the buffer-overflow bug to insert their own code into a program. But programs exploiting the buffer-overflow bug written by such hackers can be used by anyone , which presents a major danger.

In addition to crashing the stack by exploiting the buffer-overflow bug, program code can be corrupted by improper formatting. Some functions may present a security threat if used in a certain way. Hackers may pass to them such information that when processed by the program will change the program's code. The principles of preventing the adverse effects of these errors are the same as those for preventing buffer-overflow effects, so I will not go into much detail on this aspect; moreover, users and administrators don't usually deal with machine codes.

What you should know is that when you find out that one of the services is vulnerable to a buffer-overflow attack and you can temporarily do without it, you should disable the service. If the service is not a necessary one, you can simply delete it.

If you need the service, the first thing you should do is visit the developer's site. Follow any recommendations on how to fix the error that you may find there. Sometimes, all you have to do is modify some configuration files, but sometimes a new version of the program has to be installed.

In 90% of cases, buffer overflow errors are fixed by updating the program. This is because such errors stem from incorrect code logic that can only be fixed by correcting the source code and recompiling the program.

If the developer offers no solution to fix the problem, limit the program's rights as much as possible. If a program belongs to root and its SUID or SGID bit is set (that is, the program executes with the root privileges even if run by a guest user), this bit must be cleared.

As universal protection against buffer overflow bugs, I can recommend the libsafe utility (available from www.research.avayalabs.com/project/libsafe ). This is a library that creates a buffer layer between the application software and the operating system. When system functions that may cause buffer overflow are called, the library substitutes these functions with its own versions. These are functional analogues of the system functions but are protected against buffer overflow.

The library has one shortcoming: It causes a slight productivity drop. But the library's advantages overweigh this shortcoming in many ways. The library does not protect against a certain program or a certain error, but against most potential problems. As you already know, it is impossible to protect against everything, because hackers constantly come up with new tricks, so the library does not provide 100% protection against buffer overflow errors. But the protection it does provide will allow your system to work uninterruptedly for a much longer period than it would otherwise .



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net