OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Buffer overflows on NT - what is the risk?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer overflows on NT - what is the risk?

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: Buffer overflows on NT - what is the risk?
  • From: Russ <Russ.CooperRC.ON.CA>
  • Date: Sat, 25 Jul 1998 09:28:20 -0400
  • Comments: To: Roy Hills <Roy.HillsNTA-MONITOR.COM>
  • Reply-To: Russ <Russ.CooperRC.ON.CA>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Moderators note:
Given the number of responses to Roy's message, I have summarized them
here;
------------------------------------------------------------
From: "Phil Brass" <pbrassiss.net>
Buffer overflows have been exploited, publicly (on this list I believe),
by the l0pht people.  They demonstrated how to exploit a buffer-overflow
in Internet Explorer when browsing to a specific malformed URL.  The
exploit downloaded a file and ran it, unbeknownst to the user.

Phil
------------------------------------------------------------
From: Adam Shostack <adamhomeport.org>
   Ezekial Morrow <paceflowHOTMAIL.COM> posted the construction of a
buffer overflow for SLmail here July 9th.  Dildog of the l0pht has a
paper entitled 'The Tao of Windows buffer overflows.'

   Were I a cynic, I would suggest that the fact that buffer overflows
are known to be in use on unix systems has more to do with proper
logging and IDS tools than the difficulty of writing effective windows
buffer overflows.

   In a less cynical mood, I'd suggest that the interesting access via
NBT sessions, various RPC things, and other means of access are more
popular because they're easier than writing a new bo.  On unix, we've
got that sort of side access mostly tied down.

Adam
------------------------------------------------------------
From: Paul Leach <paullemicrosoft.com>
The source for many Unix services is available, and buffer overruns are
reasonably easy to detect by inspection of the source (even by an
automated inspection). Since NT source isn't, even assuming it had as
many buffer overrun bugs (and I make no statement one way or other on
that point), fewer would get exploited.

On the flip side, fewer good guys look over the source to try and weed
out the problems before they happen.

Other than that, I think they pose the same potential risk on either
platform.

From: "Holbrook, Charles J." <OSGCJHwest.com>
As far as I can tell it can be exploited.  cDc wrote a nice little
article as well as source code of how to do this.
http://www.cultdeadcow.com/cDc_files/cDc-351/
------------------------------------------------------------
From: "Adam Maloney" <adamiexposure.com>
The difference here is that many unix buffer overflows drop you to root,
and that can't really be done on NT.  What's more fun to Joe Hax0r?
Dropping an NT box (heck anyone can do that), or "w00ting" the mighty
unix...

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                  Adam Maloney
            Systems  Administrator
                Internet  Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
------------------------------------------------------------
From: Ervin Fried <ervinname.net>
no and yes.

for some explanations and ideea read:

http://www.cultdeadcow.com/cDc_files/cDc-351/

also, read the ntbugtraq post:

subject: SLMail 3.0.2421 Stack Overflow...
from:    Ezekial Morrow <paceflowHOTMAIL.COM>
date:    Wed, 8 Jul 1998 17:32:02 PDT
------------------------------------------------------------
From: Alex Belits <abelitsgenesyslab.com>
  Buffer overflows on Unix and NT are equally dangerous and exploitable,
however people who write and use exploits of this kind are currently
disinterested in NT ones. As a lot of attempts to overcome the problem
for insecurely written code have shown, it's relatively easy to make
buffer overflows less likely to succeed at the expense of significant
slowdown of program when it runs normally (change the compiler to modify
function call and return code), and it's possible to eliminate most
commonly used version of buffer overflow by introducing incompatibility
with existing compiled code (change OS to make stack nonexecutable).

  AFAIK neither of two things was done in NT, and both of them still
allow denial of service in all cases (program crashes and should be
restarted, some data in crashed program's memory is overwritten before
crash is detected), and successful exploits still are possible after
both with more complex technique.

--
Alex
------------------------------------------------------------
From: Paul Vilevac <pvilevacyahoo.com>
Roy,

In short, a buffer overflow on an NT box can be exploited to execute any
arbitrary commands.  Take a moment or ten to read over DilDog of the
Cult of the Dead Cow's impressive "The Tao of Windows Buffer Overflow"
at http://www.cultdeadcow.com/cDc_files/cDc-351/ for further
information.

NT is not Unix, it tries but it's its own thing.

Paul
(Not affiliated with or a member of the cDc.)
(On site)
------------------------------------------------------------
From: Weld Pond <weldl0pht.com>
There have been several buffer overflows that have been exploited in the
Internet Explorer posse of applications.  DilDog cut his teeth working
with a few in IE 3 and IE 4. He then documented his techniques for
exploiting a buffer overflow in NetMeeting in the seminal "The Tao of
Windows Buffer Overflow" which is available at

     http://www.cultdeadcow.com/cDc_files/cDc-351/

Buffer overflows are a little harder to exploit in windows but using the
code in "The Tao" should get you up to speed quickly. He talks about
techniques for getting the overflow code to download a file over the net
and then exec it. Back Orifice, which will be released at DefCon, is the
perfect file to download and exec from a buffer overflow if you want to
completely compromise a machine.

      Weld Pond   -  weldl0pht.com   -   http://www.l0pht.com/~weld
      L  0  p  h  t    H  e  a  v  y    I  n  d  u  s  t  r  i  e  s

      Technical archives for the people  -  Bio/Electro/Crypto/Radio
------------------------------------------------------------
From: Crispin Cowan <crispincse.ogi.edu>
Absolutely stack smashes are a security vulnerability on NT.  I have
attached two different security alerts for MS Internet Explorer.  In at
least one of them, a hostile web page can seize control of your browser
on both Win95 and NT.

Crispin
-----

<http://listserv.ntbugtraq.com/scripts/wa-ntbt.exe?A2=ind9801&L=NTBUGTRA
Q&P=R2515>
<http://listserv.ntbugtraq.com/scripts/wa-ntbt.exe?A2=ind9803&L=NTBUGTRA
Q&P=R2586>
------------------------------------------------------------
From: Gilad Ben-Yossef <gbyactcom.co.il>
hmpf..

Well I need to administer from a far a certain NT machine. I am the
legitimate administrator of the machine, and have the Admin account but
even as such I am having trouble making some changes to the machine
configuration from afar over the Net, let alone perform any software
upgrades. Need I say I can't really run an arbitrary program from a far
(don't remind me of remote console service, i am still trying to forget
it ;-)

Taking this into account, what do you excpect a cracker to do? The
buffer overflow lets him run arbitrary code as privileged user, but I am
the most legit privileged user on the machine and still I have a problem
performing certain tasks... Of course, on Unix the root user would have
no problem to do these things  (e.g. add an IP address) remotely, hence
a cracker has the chance to do so too, if he finds a buffer overflow
bug, but that really belongs to a different mailing list... ;-)

Gilad Ben-Yossef
giladbenyossef.com
------------------------------------------------------------
From: "Neon Surge" <neonsurgehotmail.com>
NT Buffer Overflows have not 'publicly' been exploited because no one
has stepped forward to say that it can be done. It really is that
simple.

NeonSurge
The Rhino9 Security Research Team
rhino9.ml.org
------------------------------------------------------------
From: Tracy R Reed <treedultraviolet.org>
They are potential remote access issues if someone can exploit them. NT
does not seem to be nearly as flexible as Unix is, for better or worse.
Unix is designed with the concepts of stdio, shells, etc. This makes it
fairly easy to system off a shell in a buffer overflow and get it's
input associated with the port or tty you are on. NT tends not to have
such convenient abstractions. You have to jump through many ugly hoops
to get NT to do anything useful in a buffer overflow exploit. I recently
read a piece on how to do buffer overflows in win32, with source but I
don't recall where. The author wasn't able to accomplish anything as
handy as a shell though.

--
Tracy Reed      http://www.ultraviolet.org