|
|
How to beat software's gaping security hole
Microsoft's apps are vulnerable. So are Oracle's. All sorts of programs and operating systems can be brought to their knees by a buffer-overflow attack.
|
By Robert Vamosi
Associate editor, CNET Software
(4/10/02)
Associate editor, CNET Software
(4/10/02)
Last month, Microsoft reissued its buffer-overflow vulnerability announcement for Simple Network Management Protocol (SNMP), which is included within every edition of Windows except Windows Me. This follows Microsoft's announcements earlier this year of buffer-overflow vulnerabilities in the ISAPI filter in Microsoft Commerce Server 2000, in Microsoft SQL Server, and in Telnet Server in Windows 2000.
And it's not just Microsoft that's having trouble with buffer overflows. Carnegie Mellon's CERT also announced a buffer-overflow vulnerability in Oracle's supposedly unbreakable Oracle 8i and Oracle 9i servers. So what exactly are buffer overflows, and why haven't programmers gotten rid of them?
Your buffer runneth over
First, a few simple definitions. A stack is a data structure in which the most recently added item is the first removed; a buffer is a temporary storage area. If a program sends a string of data to a fixed-sized buffer on a stack, everything's fine, and the program usually works as designed. But if an attacker sends a string of data that is too long for the application to handle, it can fill up the buffer's available memory. And, if the attacker is good at this, he or she can then replace the saved return address on the buffer with another value so that the malicious code is executed instead of the original program.
| An attacker can then replace the saved return address on the buffer with another value so that the malicious code is executed instead of the original program. |  |
|
One exploit that successfully took advantage of a buffer-overflow vulnerability was the Morris worm. On November 2, 1988, Robert Morris Jr. found and exploited a buffer-overflow condition in the finger service of Unix. In his buffer-overflow attack, Morris replaced finger with shell code that was used to copy a program that uploaded, linked, and ultimately executed the worm on other systems. From there, the Morris worm took off unchecked, exceeding even the creator's original intent.
If you're really curious about how malicious users create these exploits, the hacker group Cult of the Dead Cow has an online tutorial.
The cost of protection
What can be done to prevent this type of attack? When programming a buffer, software developers could set the program to respond to a worst-case scenario. For example, if an overflow condition existed, the program could throw away the excess data, halt all operations, or provide the user with a warning message.
| In his attack, Morris replaced finger with shell code used to copy a program that uploaded, linked, and executed the worm on other systems. | |
|
The trouble is, even if we started imposing stricter programming standards or began certifying software through some nonpartisan software clearinghouse as some have proposed, a lot of existing systems would remain vulnerable for years to come. The question is, is it too late to stop the tide of buffer overflows? I don't think so. But it will take a long time to defeat this menace.
Would you accept slower performance in exchange for protection against buffer overflows? Do you have any suggestions for how to beat this threat? TalkBack to me!
| Security Watch archive | Read product reviews  |
 |
Next steps |
| |
| |
•
Find DSL in your area
• Download security and encryption apps
• Make sure your computer is up-to-date with CNET CatchUp
• Download security and encryption apps
• Make sure your computer is up-to-date with CNET CatchUp
