Buffer Overflow?

Discussion in 'other anti-malware software' started by WilliamP, Apr 22, 2008.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Is buffer overflow a real concern? If it is what is the best program to stop it? I have XP SP2 32 bit.
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    DEP or Conodo memory wall
     
  3. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Personnally, I use Comodo Memory Firewall to prevent against Buffer overflow...
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can someone point to a current buffer overflow exploit, and what it accomplishes?

    Thanks,

    ----
    rich
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I don't know about current, but google "buffer overflow exploit download", first result :ninja:
     
  6. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here is information about a buffer overflow vulnerability in Adobe Flash - http://www.securityfocus.com/bid/28695/discuss. Excerpt: "Adobe Flash Player is prone to a remote buffer-overflow vulnerability when handling multimedia files with certain tags. An attacker may exploit this issue to execute arbitrary code in the context of the affected application."

    If you would like to test a (probably) harmless example of buffer overflow, please see http://forums.comodo.com/feedbackco...emory_firewall_worked-t18683.0.html;msg128015.

    See http://en.wikipedia.org/wiki/Buffer_overflow for general information about buffer overflow.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    thanks - I know what a buffer overflow is, and I've seen the PoC demonstrations.

    I would like to see some current exploits using this technique. Are they worms, as in the past? Do they work by remote code execution, or is the user enticed to click or download something?


    ----
    rich
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you're looking for vulnerabilities, see http://research.eeye.com/html/alerts/zeroday/index.html and http://secunia.com. If you want actual code see milw0rm or metasploit. Today, for example, vulnerability 'Adobe Products BMP Handling Buffer Overflow Vulnerability' was reported, with current fix "Do not process untrusted BMP files using the affected applications. Do not connect untrusted storage devices to the local computer."

    The user doesn't necessarily have to do anything abnormal to be exploited. Merely surfing a website with malicious content with a vulnerable browser or browser addon is sufficient. Looking at an infected video in a vulnerable multimedia player could get you infected. Programs listening for incoming network connections can be exploited if they are vulnerable.
     
    Last edited: Apr 22, 2008
  10. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Does Comodo Memory Firewall interfere with some programs operations as DEP does?
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    So what other software is out there to help guard the 'stack.'

    I know of and tried Wehnus and also grsecurity, and hardened linux, BSD - pax kernal patch but what else?
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Data Execution Prevention - built into Windows but configurable.

    Use anti-malware scanner that scans all files, not just executables. Poisoned data files can be detected by at least some anti-malware products.

    To limit damage - either use limited user account, or if using administrator account then use 'Basic User' setting in Software Restriction Policy for all programs that might be exposed to malicious content.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  15. InVitroVeritas

    InVitroVeritas Registered Member

    Joined:
    Mar 5, 2008
    Posts:
    64
    Threatfire.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have set DEP in the past already, because I found this in my installation file :
    1. Click Start / Control Panel / System
    2. Click Advanced-tab
    3. Click Settings of Performance
    4. Click Data Execution Prevention
    5. Mark "Turn on DEP for all programs and services"
    6. Click OK-button
    Not really convinced if that will do the job, it's M$. :rolleyes:

    Is Buffershield of $20 worth to install ?
     
  17. HyperFlow

    HyperFlow Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    115
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Not sure best way to find out is try it. Going by that table Wehus which is freeware nearly protects against them all.
     
  19. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Okay I'm with you there as I use DEP, SRP and have a limited account on the computer already. Do we need a stack defender.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Sorry, in what way didn't it work? The program, protection?
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't remember the details, but it caused problems on my system.
    Looking at the version #, its development seems to be frozen also.
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I haven't tried out this product, but I did read the same things (about bugs, that is) somewhere else online. Since development is frozen, I'd avoid it.
     
    Last edited: Apr 22, 2008
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I did personally test out Comodo Memory Firewall on one example (well, two if you include the Comodo BO Tester program): http://forums.comodo.com/feedbackco...t_comodo_memory_firewall_worked-t18683.0.html. CMF worked with both, but be careful about drawing conclusions from a sample size of two.

    Here is vendor-supplied information about CMF:

    "Comodo Memory Firewall detects the following types of attack:
    Detection of Buffer Overflows which occur in the STACK memory,
    Detection of Buffer Overflows which occur in the HEAP memory,
    Detection of ret2libc attacks,
    Detection of corrupted/bad SEH Chains"
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Software DEP and hardware DEP are different. Software DEP is weak. Hardware DEP is better. Since it's known how to bypass DEP, you might wish to consider Comodo Memory Firewall even if you have hardware DEP.
     
Thread Status:
Not open for further replies.