|
1.Who
is this article for?
Well,if you are a begginer with security concept,a
frusrrated system administrator, a courious person or just
someone with a lot of free time this article is for you.
2.What
should I know before reading this article?
Not much-this is a very basic guide and the requirments for
more advanced articles about this subject(C,assembly etc.)
will help you but are not a must. A basic knowledge of
computer software concept and memory management will be
enough.
What
is a buffer overflow?
A buufer overflow is a software condition that happens
because of poor programming habbits.The most recent buffer
overflow exploite is the 'code red' virus,which taked
advantage of a buffer overflow in microsoft IIS server(MS
web server). In genral,a buufer overflow occurs when a
program declairs a variable with a fixed length(for
exapmle,20 bytes long) but the value that was assigned to
this variable is greater than the variable size.
Take
this example:
My program outputs to the screen: "Please type your first
name:" My program will take the input from the user(his
first name) and place it in a varibale I declaired in my
program.A problem can arrise if the variable that will hold
the users' name will be 15 bytes long(looks long enough for
a first name), but the users' name will be 25 bytes
long.What will happen is that all bytes after the 15th byte
will "overflow" the memory that was allocated for the name
variable.
When the program starts,memory is allocated like this:
<var1><var2><vname><Other things in memory>
10b 6b 15b
(var1 and var2 are irelevant variables,vname is the
variable that
will contain the name the user will input,it's size is 15
bytes long)
assuming the user will input the name
"abcabcabcabcabcabcabcabcabc" the memory will look like
this:
somevalue2avalusabcabcabcabcabcabcabcabcabc
<var1 ><var2><vname ><other things go here>
So what happended here is that the variable vname was
"overflowed" by the input from the user and now the value of
"other things in memory" changed bacause of the overflow of
charecters from the user input.
Those of you with the criminal mind are asking by now "so
how can I exploite this"???
Before we get to that,there are some important basic things
we should know about computer architucture.In this article
we will discuss linux,but the concept are simialer with
other platform.
Proccess
The basic functioning unit in a running computer is a
proccess.Eveything the computer is doing is devided to
proccesses and the operating system in charge of dividing
the working power of a computer between all the many
proccesses running together.There is no such thing as true
multy-proccessing;the CPU is switching between proccesses so
quickly that it looks like many tasks are done
simultaniously,but it's only a trick the computer is
performing on us,the so slow-minded humans.
Each procces has his own adress space-a part of memory that
belongs only to it,and no other proccess can access this
memory.Which brings us to the next thing you have to
understand:
Memory
management.
Modern operating systems manage memory as virtual
memory.That means that no appclication has access directly
to physical memory.The OS is keeping a mapping table between
real physical adresses of memory to virtual adresses.When
memory os alocated for some program to run,only the virtual
adress is handed to the program, never the physical
adress.Another use of virtual memory is that because memory
is not accesses directly by each procces(or program),the OS
can use space on Hard disk as memory,and the application can
never know that the memory in use now is not phsycal RAM
memroy,but harddisk swap space.
Now we get to the fun part-how is all that going to give me
root access to an exploitable system? Remember we said
earlier that when the input from the user is longer than the
memory that was allocated for this input,the extra input is
overflowing everything in memory that is after the variable
name?This is the place we can take advantage of things.
What we do is that:inside our input string(in the example
above the first name we should input) we put commands for
the computer,the most popular is to make the computer spawn
a shell that we can use later to take full control of the
exploited system.Making this work is not as simple as it may
sound,so if you want to understand how this is done,you will
have to read the next article about buffer overflows,that
will describe exactly how to exploite one.
Credits:
09/09/2001
by Yossi |