Other Access Techniques

Password access isn't the only way to gain entry to a system. The following sections discuss some other common access techniques, including

• Buffer overflow

• Script tricks

• Session hijacking

• Email worms

Buffer Overflow

When a computer receives data over a network connection (or for that matter, even when it receives data from a keyboard), the computer must reserve enough memory space to receive the complete data set. This reception space is called a buffer. Network computer applications must provide a buffer to receive input. If user input overflows the buffer, strange things happen. If the input is not properly managed, the data that overflows the buffer can become resident in the CPU's execution area, which means that commands sent to the computer through a buffer overflow can actually be executed. The commands execute with the privileges of the application that received the data. Other buffer overflow attacks capitalize on the fact that some applications run in an elevated security context that can remain active when the application terminates unexpectedly.

To avoid buffer overflow problems, applications must provide a means for receiving and checking the size of the data before inserting the data into an application buffer. The solutions are largely a matter of good programming practice. Poorly designed applications are especially susceptible to buffer overflow attacks.

Some very popular and famous network applications have buffer overflow vulnerabilities. Many of these exploits are well known around the Internet, so intruders know exactly how and where to launch an attack. The Unix-based email server Sendmail is a common target for buffer overflow attacks. Microsoft's Internet Information Server (IIS) and other Microsoft products have also been victim to buffer overflow attacks in recent years. When a vendor discovers a possible buffer overflow vulnerability, the vendor often releases a patch that fixes the problem. Because of the huge public relations problems caused by public notice of a buffer overflow vulnerability, vendors have become vigilant about quickly repairing their software when an exploit is discovered. It is not surprising for a vendor to publish a patch within days or even hours of when a security problem is discovered. And good system administrators pay close attention to security alerts from organizations such as SANS (http://www.sans.org) so that they'll know when and where to obtain the latest patches for their systems. Organizations such as SANS also provide email newsletters with information on recent security threats.

Part of the solution to buffer overflow is good programming. Another part of the solution is to limit the scope of privileges available to the remote user who is attempting to exploit a buffer overflow. If possible, don't let network applications run with root or administrative privileges. For applications that require a high privilege level to function, tools such as chroot can create a limited security environment that prevents the intruder from gaining access to the system.

Script Tricks

As you learned in Hour 17, "HTTP, HTML, and the World Wide Web," common gateway interface (CGI) is an application interface used for integrating scripts with Web sites. CGI was greeted with much fanfare a few years ago, and CGI scripts are used widely on the Web. However, experts have discovered that CGI scripts (especially poorly written CGI scripts) are often vulnerable to attack.

In some cases, scripts that receive input from the user can be tricked into executing commands or providing output that the scripts were never intended to provide. The most susceptible CGI scripts are scripts that

• Start a subshell for interactive input.

• Do not check input carefully.

• Allow unrestricted use of metacharacters, characters that represent patterns. (The most familiar metacharacter is the asterisk (*), which represents all strings or all strings matching the rest of the search pattern.)

Input is often sent to CGI scripts through a URL query. If the CGI program does not contain the necessary safeguards, an intruder can phrase a query that will cause the CGI script to open a shell or output a critical system file.

Session Hijacking

Session hijacking is an advanced technique that exploits a vulnerability in the TCP protocol. As you learned in Hour 6, "The Transport Layer," the TCP protocol establishes a session between network hosts. Session hijacking calls for the intruder to eavesdrop on a TCP session and insert packets into the stream that appear to be part of the TCP session. The intruder can use this technique to slip commands into the security context of the original session. One common use of session hijacking is to get the system to reveal or change a password.

Of course, a hacker does not manually compose spoofed TCP segments on the fly. Session hijacking requires special tools. One famous tool used for session hijacking is a freeware application called Juggernaut.

Email Worms

Hour 18, "Email," describes how hackers use malicious email attachments to infiltrate a system. Certain email clients (most notably Microsoft's Outlook clients) treat an email attachment as an object and execute that object when you click on the icon. The Windows operating environment includes components that make it easy for applications to interact with other applications and execute commands related to the operating system itself.

The email worm arrives in the user's mailbox. When the user opens the attachment, instructions encoded with the attachment operate behind the scenes to open a pathway for an intruder. For example, the worm might make a change to Registry settings that will enable the intruder to achieve or expand system access.