FREE ANTI-SPAM EVALUATION: Roaring Penguin Software - At last! An anti-spam solution that lets you stop spam on YOUR terms by giving you full control over its setup and administration. CanIt-PRO provides you with as much (or as little!) administrative and end-user control as you want. Try a free 20-day evaluation and test it out yourself. Click to find out more!
Introduction: Buffer Overflow Vulnerabilities
By: Erica R. Thomas
In exploiting the buffer overflow vulnerability, the main objective is to overwrite some control information in order to change the flow of control in the program. The usual way of taking advantage of this is to modify the control information to give authority to code provided by the attacker to take control. According to Shaneck, "The most widespread type of exploit is called 'Smashing the Stack' and involves overwriting the return address stored on the stack to transfer control to code placed either in the buffer, or past the end of the buffer." (Shaneck, 2003) The stack is a section of memory used for temporary storage of information. In a stack-based buffer overflow attack, the attacker adds more data than expected to the stack, overwriting data. Farrow explains this in an example, "Let's say that a program is executing and reaches the stage where it expects to use a postal code or zip code, which it gets from a Web-based form that customers filled out." (Farrow, 2002) The longest postal code is fewer than twelve characters, but on the web form, the attacker typed in the letter "A" 256 times, followed by some other commands. The data overflows the buffer allotted for the zip code and the attacker's commands fall into the stack. After a function is called, the address of the instruction following the function call is pushed onto the stack to be saved so that the function knows where to return control when it is finished. A buffer overflow allows the attacker to change the return address of a function to a point in memory where they have already inserted executable code. Then control can be transferred to the malicious attack code contained with the buffer, called the payload (Peikari and Chuvakin, 2004). The payload is normally a command to allow remote access or some other command that would get the attacker closer to having control of the system. As Holden explains, "a computer is flooded with more information than it can handle, and some of it may contain instructions that could damage files on the computer or disclose information that is normally protected- or give the hacker root access to the system." (Holden, 2004)
The best defense against any of these attacks is to have perfect programs. In ideal circumstances, every input in every program would do bounds checks to allow only a given number of characters. Therefore, the best way to deal with buffer overflow problems is to not allow them to occur in the first place. Unfortunately, not all programs are perfect and some have bugs that permit the attacks discussed in this paper. As described by Farrow, "because programs are not perfect, programmers have come up with schemes to defend against buffer overflow attacks." (Farrow, 2002) One technique entails enforcing the computer to use the stack and the heap for data only and to never to execute any instructions found there. This approach can work for UNIX systems, but it can't be used on Windows systems. Farrow describes another scheme using a canary to protect against buffer overflows, but only the kind that overwrite the stack. (Farrow, 2002) The stack canary protects the stack by being put in sensitive locations in memory like the return address (that tells the computer where to find the next commands to execute after it completes its current function). As described by Farrow, "before return addresses get used, the program checks to see if the canary is okay." (Farrow, 2002) If the canary has been hit, the program then quits because it knows that something has gone wrong. As a user of the programs, the best countermeasure is to make sure your systems are fully patched in order to protect yourself from exploits targeting vulnerabilities.
Read Full Article:
features/features/introduction-buffer-overflow-vulnerabilities
LinuxSecurity.com Feature Extras:
Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.
The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.
Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Conectiva | ||
| Conectiva: MySQL Fixes for two mysql vulnerabilities | ||
| 20th, April, 2005
Updated package. |
||
| Debian | ||
| Debian: New PHP3 packages fix denial of service | ||
| 15th, April, 2005
Updated package. advisories/debian/debian-new-php3-packages-fix-denial-of-service |
||
| Debian: New libexif packages fix arbitrary code execution | ||
| 15th, April, 2005
Updated package. advisories/debian/debian-new-libexif-packages-fix-arbitrary-code-execution |
||
| Debian: New gtkhtml packages fix denial of service | ||
| 18th, April, 2005
Updated package. advisories/debian/debian-new-gtkhtml-packages-fix-denial-of-service |
||
| Debian: New info2www packages fix cross-site scripting vulnerability | ||
| 19th, April, 2005
Updated package. advisories/debian/debian-new-info2www-packages-fix-cross-site-scripting-vulnerability |
||
| Debian: New geneweb packages fix insecure file operations | ||
| 19th, April, 2005
Updated package. advisories/debian/debian-new-geneweb-packages-fix-insecure-file-operations |
||
| Debian: New f2c packages fix insecure temporary files | ||
| 20th, April, 2005
Updated package. advisories/debian/debian-new-f2c-packages-fix-insecure-temporary-files-36661 |
||
| Fedora | ||
| Fedora Core 3 Update: XFCE 4.2.1.1 (15 packages) | ||
| 15th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-xfce-4211-15-packages-11-29-00-118890 |
||
| Fedora Core 3 Update: vixie-cron-4.1-33_FC3 | ||
| 15th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-vixie-cron-41-33fc3-11-30-00-118891 |
||
| Fedora Core 3 Update: at-3.1.8-70_FC3 | ||
| 15th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-at-318-70fc3-11-31-00-118892 |
||
| Fedora Core 3 Update: nasm-0.98.38-3.FC3 | ||
| 18th, April, 2005
The new NASM packages contain fixes for CAN-2004-1287 and one additional vsprintf buffer overflow. advisories/fedora/fedora-core-3-update-nasm-09838-3fc3-10-58-00-118899 |
||
| Fedora Core 3 Update: php-4.3.11-2.4 | ||
| 18th, April, 2005
This update includes the latest stable release of PHP 4.3, including a number of security fixes to the exif extension (CVE CAN-2005-1042 and CAN-2005-1043) and the getimagesize() function (CVE CAN-2005-0524), along with many bug fixes. advisories/fedora/fedora-core-3-update-php-4311-24-10-59-00-118900 |
||
| Fedora Core 3 Update: aspell-bg-0.50-8.fc3 | ||
| 19th, April, 2005
aspell-bg-0.50-7 contains many false words. aspell-bg-0.50-8.fc3 fix this problem. advisories/fedora/fedora-core-3-update-aspell-bg-050-8fc3-10-07-00-118914 |
||
| Fedora Core 3 Update: urw-fonts-2.3-0.FC3.1 | ||
| 19th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-urw-fonts-23-0fc31-11-11-00-118916 |
||
| Fedora Core 3 Update: htdig-3.2.0b6-3.FC3.1 | ||
| 19th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-htdig-320b6-3fc31-11-24-00-118917 |
||
| Fedora Core 3 Update: alsa-lib-1.0.6-8.FC3 | ||
| 20th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-alsa-lib-106-8fc3-09-54-00-118931 |
||
| Fedora Core 3 Update: curl-7.12.3-3.fc3 | ||
| 20th, April, 2005
New curl version fixes CAN-2005-0490 problem (Multiple stack based overflows). advisories/fedora/fedora-core-3-update-curl-7123-3fc3-09-54-00-118932 |
||
| Fedora Core 3 Update: HelixPlayer-1.0.4-1.0.fc3.1 | ||
| 20th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-helixplayer-104-10fc31-11-02-00-118934 |
||
| Fedora Core 3 Update: cvs-1.11.17-6.FC3 | ||
| 20th, April, 2005
Updated package. advisories/fedora/fedora-core-3-update-cvs-11117-6fc3-11-19-00-118935 |
||
| Fedora Core 3 Update: foomatic-3.0.2-13.4 | ||
| 20th, April, 2005
This is a minor bug-fix update. advisories/fedora/fedora-core-3-update-foomatic-302-134-11-46-00-118936 |
||
| Gentoo | ||
| Gentoo: OpenOffice.Org DOC document Heap Overflow | ||
| 15th, April, 2005
OpenOffice.Org is vulnerable to a heap overflow when processing DOC documents, which could lead to arbitrary code execution. |
||
| Gentoo: monkeyd Multiple vulnerabilities | ||
| 15th, April, 2005
Format string and Denial of Service vulnerabilities have been discovered in the monkeyd HTTP server, potentially resulting in the execution of arbitrary code. |
||
| Gentoo: PHP Multiple vulnerabilities | ||
| 18th, April, 2005
Several vulnerabilities were found and fixed in PHP image handling functions, potentially resulting in Denial of Service conditions or the remote execution of arbitrary code. |
||
| Gentoo: CVS Multiple vulnerabilities | ||
| 18th, April, 2005
Several serious vulnerabilities have been found in CVS, which may allow an attacker to remotely compromise a CVS server or cause a DoS. |
||
| Gentoo: XV Multiple vulnerabilities | ||
| 19th, April, 2005
Multiple vulnerabilities have been discovered in XV, potentially resulting in the execution of arbitrary code. |
||
| Gentoo: Mozilla Firefox, Mozilla Suite Multiple vulnerabilities | ||
| 19th, April, 2005
New Mozilla Firefox and Mozilla Suite releases fix new security vulnerabilities, including memory disclosure and various ways of executing JavaScript code with elevated privileges. |
||
| Gentoo: MPlayer Two heap overflow vulnerabilities | ||
| 20th, April, 2005
Two vulnerabilities have been found in MPlayer which could lead to the remote execution of arbitrary code. |
||
| Red Hat | ||
| RedHat: Low: xloadimage security update | ||
| 19th, April, 2005
A new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in filenames is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-low-xloadimage-security-update-20631 |
||
| RedHat: Moderate: logwatch security update | ||
| 19th, April, 2005
An updated logwatch package that fixes a denial of service issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-logwatch-security-update-RHSA-2005-364-01 |
||
| RedHat: Important: kernel security update | ||
| 19th, April, 2005
Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. advisories/red-hat/redhat-important-kernel-security-update-85756 |
||
| RedHat: Critical: RealPlayer security update | ||
| 20th, April, 2005
An updated RealPlayer package that fixes a buffer overflow issue is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-realplayer-security-update-56018 |
||
| RedHat: Critical: HelixPlayer security update | ||
| 20th, April, 2005
An updated HelixPlayer package that fixes a buffer overflow issue is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-helixplayer-security-update-82453 |
||
| RedHat: Critical: RealPlayer security update | ||
| 20th, April, 2005
An updated RealPlayer package that fixes a buffer overflow issue is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-realplayer-security-update-56018 |
||
| RedHat: Important: firefox security update | ||
| 21st, April, 2005
Updated firefox packages that fix various security bugs are now available. This update has been rated as having Important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-firefox-security-update-89533 |
||
| SuSE | ||
| SuSE: php remote denial of service | ||
| 15th, April, 2005
This update fixes the following security issues in the PHP scripting language. |
||
| SuSE: cvs (SUSE-SA:2005:024) | ||
| 18th, April, 2005
The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects. The current maintainer of CVS reported various problems within CVS such as a buffer overflow and memory access problems which have been fixed within the available updates. The CVE project has assigned the CAN number CAN-2005-0753. |
||
| SuSE: OpenOffice heap overflow problem | ||
| 19th, April, 2005
This security update fixes a buffer overflow in OpenOffice_org Microsoft Word document reader which could allow a remote attacker sending a handcrafted .doc file to execute code as the user opening the document in OpenOffice. |
||
| SuSE: RealPlayer buffer overflow in RAM | ||
| 20th, April, 2005
This update fixes a security issue within the RealPlayer media player. |
||
| SuSE: PostgreSQL buffer overflow problems | ||
| 20th, April, 2005
Several problems were identified and fixed in the PostgreSQL database server. |
||
