Security Portal: Kurt's Closet: Protecting yourself from your softwareNov 03, 1999, 06:23 (1 Talkback[s])
(Other stories by Kurt Seifried)
"Many, but not all, computer security incidents are executed against software. Software is what makes a computer useful, and implementing security usually costs money, and makes the system more difficult to use (how many users choose good, and hence hard to remember, passwords?). In addition with the growing popularity of GNU and other open source software people are downloading source code / binaries off the Internet, of which not all are properly programmed/designed, leading to more security concerns. ftp.win.tue.nl was broken into and several packages were modified, 50 odd downloads occurred before they discovered the problem and fixed it. How many other sites have had this happen where it was not caught? Or someone manages to break into your machine by exploiting software problems, even if you do keep all your software up to date, someone will come out with a new attack that takes time to fix...."
"Now we get to one of the more nasty problems. Buffer overflows are very common, and can be used to gain root access remotely in many cases via network services (which run with elevated privileges due to the need to access ports <1024). Recently Wu-FTPD and ProFTPD suffered a number of overflows that would result in root level access on the compromised machine."
"C and C++ (which is what the majority of UNIX software is written in) allows for programmers to make rather bad mistakes when it comes to handling data (especially string data). Without getting to technical (if you want technical see the links later on in this document) a buffer overflow occurs when someone manages to feed a program data it doesn't check properly. For example if a program takes a filename as an argument and you feed it a 5000 character string it might barf, this is indicative of a buffer problem. This program might take the string and feed it into say a 100 character buffer, leaving 4900 chars that get shoved into the address space of the program. All you need to do is structure those character properly and you can get the CPU to execute whatever you want, and if the program is setuid (runs as root) then you can do anything you want really. There are literally hundreds of buffer overflows found each year in various software packages, ranging from Wu-FTPD to IIS 4.0 for NT."
0 Talkback[s] (click to add your comment)