Buffer Overflow Exploit POC

Discussion in 'other security issues & news' started by StevieO, Jul 20, 2005.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Guest

  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi SteveO,

    Based upon the discussions in earlier discussions, the key issue for desktop users is whether a buffer overflow exploit can find a "target" on a typical home user platform. The article alluded to this:

    "A hacker I know created a program to automatically find an char array and overflow it to see if it was vulnerable, although I cannot give you this, according to our black hat lore Wink "

    Does such a program exist, that can scan a desktop PC that:

    a) Locate a process that has a buffer overflow vulnerability and then ...
    b) Somehow exploit it

    Known, targets for buffer overflows, seem to exist on servers, e.g. SQL Server. What's more SQL Server DBMSs, are designed to listen for incoming messages and responding to them. This makes them good target for such an attack. (I do not know whether this particular vulnerability still exists - but it was an example given in the previous discussion thread).

    As of today, I am not aware of any similar target program on the average desktop PC. However, if there was one, it would still be necessary for a program to get through the primary desktop security protection in order to exploit it. (I use KAV+ProcessGuard+WormGuard to try to stop such a process from ever getting started).

    So, bottomline, my understanding is that there is a very low probability of such a threat actually occurring on a desktop PC, but probably a higher probability on a server.

    This is my current understanding, and I await further comments.

    Rich
     
  3. Jack Harper

    Jack Harper Guest

    JPG buffer overflow.

    Zone alarm buffer overflow

    Firefox buffer overflow
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    It is my understanding that these buffer overflows have been fixed with vendor patches. Please correct me if I am wrong.

    Rich
     
  5. Jack Harper

    Jack Harper Guest

    Those that are known to the unwitting public yes.

    Just giving you examples of real world examples affecting non servers setups that aren't 'designed to listen for incoming messages and responding to them'. You can bet many exist that aren't publicised. The more programs you run, the higher possibility of this happening.

    Ah 'layering', the ultimate one word answer that allows everybody to sleep like a baby at night. A vodoo chant that can counter any conceviable threat. :)

    It goes without saying that everyone here already understands the importance of this, but it doesn't prevent us for looking for direct and better solutions.

    Your setup for instance doesn't handle buffer over flows directly, at best they can (perhaps) catch the secondary effects.
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    What I am primarily trying to achieve is to detect and stop the inital causes - i.e. catch the processes before they can begin to do their damage. Hence ZoneAlarm, KAV, WormGuard, and Processguard (this is at the point that the process is requesting services to run), and possibly Ewido (if it is fast enough in its process scanning). RegDefend, would be an example of trying to catch a secondary effect. I am hopeful that future releases of KAV and ZoneAlarm will be even stronger in this respect. I am always looking for stronger ways to achieve this goal.

    Products such as Prevx are more designed to catch secondary effects - e.g. buffer overflows, file system changes, etc., since at this point the process is already running.
     
  7. Jack Harper

    Jack Harper Guest

    Which look up the meaning of buffer overflows again.
     
  8. StevieO

    StevieO Guest

Loading...
Thread Status:
Not open for further replies.