How the Buffer-Stack Overflow Hacking Technique Compromises Web Security
The what? The stack-based buffer overflow attack is an ingenious, if complex, method for hackers to seize control of your server.
So, what is a buffer stack overflow? Let's say you're working on a large document in an application that requires a lot of memory, and your PC freezes, and you get the "blue screen of death." The source of this problem is often the buffer stack, which is a data structure in the computer's RAM memory that stores information and small executables for the operating system.
By utilizing this stack the OS doesn't have to search for the executables, function calls and data libraries each time it needs to perform a task. All of these are stacked up in RAM, like dishes, ready for the OS to fetch them when needed. Sometimes that buffer gets filled, though, and this causes the OS to crash.
Well, here's a sick thought: suppose someone could cause that to happen to your server and then, in place of the OS data in the buffer, he substituted his own commands, like "delete", or "install virus"? Even if you're not a hard-tech type you should be aware of this technique.
Step One: Entrance
In order to mess with the buffer stack (cause an overflow or add commands), the hacker must have an entrance to the server. This can be done by covertly setting up back door software on the server, possibly by means of a Trojan horse, delivered via an email message.
Step Two: Smashing the Stack
This is done by filling the stack with meaningless characters, like the letter "z", until the stack overflows. Under normal circumstances, this would cause the operating system to crash, since it can no longer access some of the code necessary to perform its functions. But if the hacker wants to do more than crash the server, he can load machine language commands instead.
Step Three: Running Commands
The buffer stack overflow is a great way to command an operating system. It not only allows someone to insert commands, but to create a command shell. In UNIX for example, you can create a backdoor using inetd, and the outgoing port can be used to manipulate an X-Windows session. The code that the hacker inserts works on the same principle as popular communication software, like PCAnywhere. The basic code permits the user to take control of the monitor, keyboard and mouse services.
If the prize is big enough, a persistent hacker will succeed and eventually create, say, a backdoor inetd, and /etc/inetd.conf if he's attacking a UNIX server. Then, he can run a command shell like /bin/sh. If it's a Windows machine, he can create a program to call wininet.dll.
This is complicated, high-tech stuff that requires patience and expertise. Among the skills needed are C-Programming and a knowledge of machine language. However, the buffer-overflow attack has become quite popular recently with certain hackers, because of its ability to insert code into the OS buffer stack.
Or, just go to your favorite search engine and run a search on: "Buffer Overflows" The first item on the page is from Wikipedia. It's a good read, especially if you're familiar with C coding.
The SANS Institute also stays update on recently-discovered software "holes" that can lead to buffer stack overflows.
Note: I've tried to limit the site references here to "safe" ones. There are numerous sites on the 'net, set up by and for hackers. Professional security experts often visit these sites to download hacker software. Don't do this unless you have taken a number of precautions. Many of these sites will record the IP addresses of all visitors, and these aren't the kind of people who should have that kind of information!
If you're interested in investigating these sites, or even downloading their software to become familiar with hacking methods, set up a separate "lab" network and use a different ISP than you use for your professional network.
There are defenses against this form of attack, however.
For systems administrators:
1. Plug up all unused ports. Otherwise, you're just presenting one more opening to the hacker.
2. Monitor mailing lists. Mailing lists can contain Trojan horse executables, which will enable the hacker to create the back door in a user's workstation. And if there's a modem attached to that workstation, and the hacker knows the number....
3. Regularly test and apply new vendor patches. Check the Microsoft, Symantec and other sites.
4. Shut off unnecessary processes (FTP, HTTP, etc). If you don't need a web server running, then you don't need port 80.
5. Control outgoing as well as incoming traffic. Hackers don't just put data into your server. They take it out, like when they're running Back Orifice.
For software developers, Ed Skoudis' Counter Hack advises:
1. Avoid programming mistakes involving the allocation of memory space.
2. The code review phase of development should specifically look for security-related mistakes
Finally, if you feel your server has been attacked in this manner, load the vulnerable software program, even if its the OS itself, onto a lab server and search the source code with a debugger.
"Both AMD and Intel have said that they are adding hardware support to their processors to stop the exploitation of buffer overflows: in effect, adding the ability to make critical areas of memory incapable of holding code that will execute. The processor can read and write it as usual so a buffer overflow can happen, but if the compromised address tries to transfer control to within the buffer -- where the virus lives -- the processor will refuse and an error will be generated." From ZDNet News. Read More
By: Roy Troxel