Buffer overruns and exploits

  • Thread starter Thread starter CheshireCat
  • Start date Start date
C

CheshireCat

Ive just received the kb828035 critical update automatically this morning
and went to look it up in the knowledgebase "Buffer overrun could allow code
execution".
"An attacker who successfully exploited this vulnerability could be able to
run code with Local System privileges on an affected system, or could cause
the Messenger Service to fail. The attacker could then be able to take any
action on the system, including installing programs, viewing, changing or
deleting data, or creating new accounts with full privileges."
Can anyone explain how such a bug could allow this sort of thing to happen?
Why doesn't their program just crash and that's it?
 
the basics of a buffer overrun attack are pretty simple, but a sucessful
attack requires a great deal of knowledge of the system and the buggy
code's specifics.

let's say you know that the buggy code sets aside 100 bytes for a buffer,
but it fails to check/prevent a "sender" from trying to write more than
100 bytes there. if a rouge nastie were to send, say 120 bytes, the first
100 legitimate data and the remaining 20 bytes a snipet of code, then he
just wrote some code of his choosing into the cpu's memory at a location
that was unprotected. If he is then able to make the cpu actually execute
that code (the harder part of the exploit) then he has compromised that
system into doing his bidding (20 bytes worth of bidding at least).
Overflow the buffer with a larger, smarter piece of code and you could do
lots of damage (assuming you can get it to execute).

Alternately, just send 1000 bytes, all of it just plain random junk. The
extra 900 bytes has to overwrite something, whatever happend to reside
after the buffer in memory. If it's the application's code or some
important data (is any data unimportant?) then it just corrupted that
code/data, and there's a high likelyhood that the application or maybe the
whole system will crash as a result.
 
Back
Top