While the details are different (and the devil is in the details), the same techniques are used to discover and exploit buffer overflows on all hardware architectures and operating systems. _The Shellcoder's Handbook_ by Koziol et al goes into detail about how to discover and write exploits on multiple platforms (Linux/x86, Windows/x86, Solaris/sparc, and Tru64/alpha. The two basic steps required to exploit a buffer overflow are: (1) Copy your executable code into the memory of your target, and (2) overwrite a variable that will eventually get loaded into the processor's Instruction Pointer with the location in memory of your executable code (the Instruction Pointer tells the CPU where to find the next machine language command). The term "buffer overflow" comes from the way an attacker makes these changes, usually by feeding a program input values beyond their assumed limits (e.g. an overly long URL as with Code Red). Because the program does not check the length of the input versus the assumed limit, the buffer (merely a location in memory that will store the input value) "overflows" and the program ends up overwriting part of itself with your input. The only solution to the problems presented by buffer overflows is "bounds checking" at every input event, verifying at every step that a collection of input values never exceed their assumed parameters, for example not allowing someone to enter five letters when all you are expecting is a 'Y' or a 'N'. This kind of careful programming is very difficult, as all the very smart people in both the hobbyist and commercial worlds will attest, hence the frequency with which such flaws are discovered.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/256/27682#27682