Buffer Overflow?

From this, it's impossible to analyze the exploits. It seems to be very difficult to find analyses of current buffer overflow exploits so that a user can determine how to prevent.

In addition to those already mentioned in other places on the forum, I found:

Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day)
http://www.milw0rm.com/exploits/1458

ICQ Vulnerability
Multiple ClamAV Vulnerabilities
http://www.uscert.gov/current/current_activity.html

If anyone can find others, it would be helpful. Otherwise, the user is left with a maze of statistics that afford no information about how current exploits work, what the attack vector is, etc.

Please, No PoC tests. Real live exploits only.

Also I'm interested if anyone knows of other browser addons which run their files automatically, such as Flash objects do.

See my post #86 above.

thanks,


----
rich

 

Did you look at mi***rm and me******it?

 

Yes (see above)

What I've seen so far are those that target specific applications.

Aren't those mentioned in the cwe.mitre.org list analyzed somewhere? How do we know what the specifics are?

EDIT

Add:

http://www.milw0rm.com/remote.php

These are interesting PoC, all attacking specific applications.


----
rich

 

http://download2.rapid7.com/r7-0025/ http://download2.rapid7.com/r7-0025/nv_exploit.c

 

Note the following analyses:

Hundreds of thousands of SQL injections
http://isc.sans.org/diary.html?storyid=4331

Targeted attacks using malicious PDF files
http://isc.sans.org/diary.html?storyid=4330

Why aren't there more analyses like these of current in the wild buffer overflow exploits? Has anyone noted how many in the wild such exploits there currently are?

The cwe.mitre.org reference is a list of "publically reported vulnerabilities."

Not analyses of in the wild exploits.


----
rich

 

Thanks, although a bit old...

Has this been observed as a current exploit in the wild? or just an advisory of a vulnerability?


----
rich

 

Cyber Security Alerts

http://search.us-cert.gov/search?q=buffer+overflow+2008&spell=1&access=p&output=xml_no_dtd&ie=UTF-8&client=default_frontend&site=default_collection&proxystylesheet=default_frontend

 

it's 2yr old and there not a KNOWN FIX o None> i can not find any thing to prove it but some people are more than likely using it.

 

thanks -

except for two phishing scams, the others are just vulnerability advisories.

Hoping to find reports of current attacks utilizing these vulnerabilities...


----
rich

 

What leads you to this conclusion? Until reports by victims appear somewhere, how can you be sure?

I don't disregard advisories of vulnerabilities, but I want to see evidence of a current attack. For example, in the pdf files exploit linked above:

Otherwise, the vulnerability remains on my hypothetical list, and may or may not warrant action.

In the case you cite, it's a Linux driver, not applicable to my system. In fact, the milw0rm list above didn't contain any applications that I use.


----
rich

 

Top 10 malware reported to Sophos in March 2008 - http://www.sophos.com/security/top-10/

Top 10 malware reported to Fortinet in March 2008 - http://www.fortiguardcenter.com/reports/roundup_mar_2008.html

Top 10 malware reported to BitDefender in March 2008 - http://news.bitdefender.com/NW711-e...Reveals-the-Storm-Worm-is-Back-in-Action.html

SecureWorks Threat Analyses - http://www.secureworks.com/research/threats/

 

it would seem to reason if they did not no they have NVIDIA Binary Graphics Driver than they have no clue that they are vulnerable!! of cores there is not going to be a report. many people are not up to date with all this stuff like people on this forum and other security forums just as you did not know that there was a vulnerability in half the thing you have read from this thread including the NVIDIA Binary Graphics Driver vulnerability. now your informed and if there's nothing from the thing's list here that pertain to your risk category it would be a wast of time to continue searching for the ghost in the machine but if you really want to find out how and who has been it with BO and things like that hit some Black Hat sites there you will find tools pre made scripts to do thing that you want to see. most victims are not going to know what they just got hit with all they know is there computer is dead.

 

Top ten malware found on the web in quarter 1 of 2008 - http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html

ATLAS report of attacks against programs listening for incoming connections in past 24 hours - http://atlas.arbor.net/summary/attacks

 

After starting and following this thread with interest I went into DEP on this computer and changed data execution to always on. When my wife tried to open Excel it wouldn't open. I went back in and put it back to OptIn and Excel opened. I don't know if DEP was the problem but I did get two Event numbers 1000 and 2001. I posted this for the information. Someone may run into the same situation.

 

I didn't have any problems with Excel, but my Excel comes from MS Office 2000 Pro, so my Excel is quite old.

With AlwaysOn, I have 3 major problems, I can't open :
1. IZArc
2. R-Wipe & Clean
3. PerfectDisk
even when I exclude them (Windows and/or CMF)
Besides "AlwaysOn" blocks the exclusion lists (greyed out).

I use now OptOut without exclusions and the ScanIt-test was also successfull.

 

Thanks, MrBrian for the links. A quick check showed:

Miranda IM Multiple Buffer Overflow Vulnerabilities

Will look more closely later.


----
rich

 

Yeah, I also think that OptiOut is good trade-off between security and usability.

 

Do you use Secunia PSI? It's a great way to discover the programs on your machine that have security-related updates. For programs that have a vulnerability but no update yet, see http://research.eeye.com/html/alerts/zeroday/index.html and http://secunia.com/historic_advisories/.

 

The web page 'OS-Based Mitigations Against Common Attacks' (http://perimetergrid.com/wp/2008/02/04/os-based-mitigations-against-common-attacks/) contains a nice summary of technologies that operating systems have introduced to try to prevent buffer overflow attacks. Some notes about the various sections as they pertain to Windows:
a) 'Stack Canaries': Only programs compiled with the /gs flag take advantage of this feature. This was first possible to do in the year 2002. The first version of Windows itself to be compiled with the /gs flag was Windows XP SP2. Programs compiled with the /gs flag in earlier versions of Microsoft's development tools do not have as strong of Stack Canary protection as programs compiled with the /gs flag in later versions.
b) 'Hardware Data Execution Protection': This became available with Windows XP SP2. Your hardware has to support this feature in order for it to be available. In Windows' default settings of DEP, only code that has been compiled to use this feature will use it, and thus most 3rd party programs by default do not benefit from hardware DEP. XP SP3 and Vista SP1 added the capability for the user to specify which programs to opt-in to using DEP.
c) 'Address Space Layout Randomization': This was first used in Vista. Only code that has been compiled to use this feature will use it, and thus most 3rd party programs do not benefit from Address Space Layout Randomization in Vista.
d) 'Safe Structured Exception Handling' - This is also known as software DEP, and is not the same thing as hardware DEP. This became available with Windows XP SP2. In Windows' default settings of DEP, only code that has been compiled to use this feature will use it to its full effect. Code that has not been compiled to use this feature can still use a weaker form of Safe Structured Exception Handling (source: http://technet.microsoft.com/en-us/library/bb457155.aspx). XP SP3 and Vista SP1 added the capability for the user to specify which programs to opt-in to using DEP.

The article 'Improving Software Security Analysis using Exploitation Properties' (http://www.uninformed.org/?v=9&a=4&t=txt) gives a good recent (Dec 2007) summary of the known limitations of the technologies that operating systems have introduced to try to prevent buffer overflow attacks. The article also includes a case study on why the animated cursor (ANI) exploit, fixed in April 2007, was able to work reliably even on Vista. Here is a quote from the article:

Http://blogs.zdnet.com/security/?p=999 contains an interview with the winner of the March 2008 Pwn2Own hacking contest. They explain how they were able to exploit Adobe Flash on Vista. Http://blogs.zdnet.com/security/?p=993 is another article on the same topic.

Http://blog.threatfire.com/2007_08_01_archive.html is a web page titled 'How do Storm, NotFound and other threats infiltrate so many PC's?'

See this thread for an article titled 'Bypassing 3rd Party Windows Buffer Overflow Protection.' It explains how 3rd party buffer overflow protection programs operate, as well as their limitations.

From these readings, I have come to the conclusion that it's a good idea to use both operating system-provided buffer overflow protection technologies, such as DEP, and also a 3rd party buffer overflow protection product, such as Comodo Memory Firewall. There are bypasses possible in either approach, and thus having both provides a stronger defense IMHO.

 

Java, JavaScript, and possibly others, assuming they're enabled. See section 'Browser changes' of http://en.wikipedia.org/wiki/Eolas for more details about automatic activation issues.

 

A report from Symantec (http://esj.com/Security/article.aspx?EditorialsID=2486&pg=1) nicely explains the current situation regarding Vista and exploits:

 

Some good news: a correction to my post #67 about return-to-libc buffer overflow exploits is needed. If a program has been compiled to use Stack Canaries (see post #119), then return-to-libc buffer overflow exploits may be difficult or impossible to do.

Some bad news: for situations where return-to-libc buffer overflow exploits can occur, a new method has been found that increases the power of this type of exploit greatly. Here is a quote from the paper 'The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)' (www.cs.ucsd.edu/~hovav/dist/geometry.pdf):

 

Hi,

There's no real solution against BO exploits (what about an exploit that targets Comodo protection ).
Any developer should "stress" his soft before any release: by fuzzing (there's many like the french Fusil or Ufuz3 from Eeye) or with specialized application like BinDiff.
There is also some code vulnerability assessment service like those provided by Veracode for instance.

I"m convinced that Google search or any great article can't be helpful to circumscribe BO threat: building our own exploit for education and research purpose is much more interesting.
But for about 1300 dollars, ethical hacking and vulnerability assessment of our private systems are possible with Canvas (there's also another well known open source exploit plateform, but i guess that it violates the forum policy).

Off course anyone can find exploits on underground site like Milw0rm, or via exploit search database like OVS or search or Xploit search for instance.
But the most interesting exploits are off course the unpublished ones, those that you build yourself, or those sold via ICQ for 10 000 dollars or more...

And recently a team of searchers has added an "escalation" in the vulnerability/patch cat and mouse game (a summary by the SANS and original news here).

I was always surprised-when visiting this forum-of the "Software as Security" religion: since we're convinced that a code can be broken, it should not be a religion anymore...

But there is of course a difference between what is technically possible (BO exploits), and what statistically happens: so we can use a computer for one, two or five years, without being the victim of a BO exploit.

Windows is currently the most attacked OS (because the most used).
Open source OS are also vulnerable, but are less attacked (like OpenBsd, one patch in 10 years).

Regards

 

This site states that "approximately a third of all vulnerabilities in Microsoft products had publicly available exploit code in 2007, the same as the previous year."

 

Symantec has some very nice reports available about Internet security trends over a 6 month period. It is noted in the latest report that 73% of the vulnerabilities found in the last half of 2007 were considered to be "easily exploitable." See the link for how Symantec defines the term "easily exploitable."