1

Buffer Overflows with Content

2

A Process Stack

3

Buffer Overflow

Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the

INETD daemon The addition of new users to a system Establishing a trust relationship between the

victim machine and the attackers machine

4

Example - AMD Buffer Overflow

Port 2222 is a rootshell left by the AMD exploit

5

Detecting Buffer Overflows by Protocol Signatures

Protocol Signature Look for anomalous traffic, such as remote traffic

targeted at facilities that should not be accessible to a remote user.

e.g. a remote user trying to connect to the Portmapperprocess

Payload Signature No-OP instructions to pad the exploit code Script signatures Abnormal user data and responses

6

IMAP Buffer Overflow

7

IMAP Buffer Overflow Cont

8

IMAP Buffer Overflow Cont

9

IMAP Buffer Overflow Cont

ls aecho + + > /.rhosts

10

NO-OP Hex Code Based on Processor Type

11

Script Signatures NO-OP Overflow

12

Script Signatures NO-OP Overflow Cont

13

Script Signatures NO-OP Overflow Cont

This frame shows a large number of hex 90s followed by some machine code, some ASCII strings, and a literal command /bin/sh -c

14

Abnormal ResponsesFTP Authentication Buffer Overflow FTPD exploit

The password supplied in response to the FTPD prompt is suspiciously large

15

Defending Against Buffer Overflows

strcpy and strncpy Introduce bounds checking into C programs Stack-based buffer overflow - CPU executes

code that is resident on the stack Only code in the code space can be executed

16

Fragmentation

17

Fragmentation

Attackers can use fragmentation to mask their probes and exploits

Fragment offset is specified as a quantity of 8-byte chunk The size of all legal nonterminal fragments must

be multiples of 8 bytes Any fragmented packets with a byte size

divisible by 8, except for the last one

18

Boink Attack

IP stack has no concept of negative math

Availability DoS

19

Teardrop Attack

20

evilPing

.

21

evilPing

22

Modified Ping of Death

23

Modified Ping of Death

24

CGI Scan

The attacker is running a script that attempts a number of Web server exploits, such as /cgi-bin/rwwwshell.pl

25

CGI Scan Cont

26

PHF Attack

CVE-1999-0067

27

Some Example CGI CVE Entries

CVE-1999-0068 CGI PHP mylog script allows an attacker to read any file

on the target server. CVE-1999-0467

The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter

CVE-1999-0509 Perl, sh, csh, or other shell interpreters are installed in the

cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

28

SGI IRIX Object Server

CVE-2000-0245 A vulnerability in an SGI IRIX object server

daemon Allow remote attackers to create user accounts Port 5135: the SGI object server

Scan one to goodguy-a.com yields nothing

29

SGI Object Server Cont The scan to goodguy-b.com is a bust

30

SGI Object Server Cont The start of the bad guy

The user zippy is added

Buffer Overflows with ContentA Process StackBuffer OverflowExample - AMD Buffer OverflowDetecting Buffer Overflows by Protocol SignaturesIMAP Buffer OverflowIMAP Buffer Overflow ContIMAP Buffer Overflow ContIMAP Buffer Overflow ContNO-OP Hex Code Based on Processor TypeScript Signatures NO-OP OverflowScript Signatures NO-OP Overflow ContScript Signatures NO-OP Overflow ContAbnormal ResponsesDefending Against Buffer OverflowsFragmentationFragmentationBoink AttackTeardrop AttackevilPingevilPingModified Ping of DeathModified Ping of Death CGI ScanCGI Scan ContPHF AttackSome Example CGI CVE EntriesSGI IRIX Object ServerSGI Object Server ContSGI Object Server Cont