Thanks Martin!! Very helpful Regards, Phill
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Visser, Martin Sent: Thursday, 7 April 2005 9:19 AM Cc: slug@slug.org.au Subject: RE: FW: [SLUG] Possible hacker Attempt Unfortunately a buffer-overflow is not only a Microsoft problem. In simple terms, it occurs where an attacker is able to exploit a programming flaw that allows a program to accept more data then it is really designed for. Most programs that accept input from the network (or other input device) will prepare a buffer, some memory space, to accept that input. If the program is written correctly it should validate the input or use other some mechnanism to ensure the input does not exceed the size of the allocated buffer. However, in certain program architectures, data that is accepted which is more than the buffer can handle could overwrite existing program data. If this excess data is craftily designed, the program can be "tricked" to then execute this excess data (which is now not just data, but now part of the compromised programs instructions) and will run with the priveleges of the exploited program. The excess data is a small chunk of compiled code specifically designed to run on the target platform - it is usually caused by inserting a "jump" in the normal code instructions. In the Code Red example below the attacker is sending a GET request to a web server. In a vulnerable IIS web server, the URL specified in the request is much larger than it expected. This data ends up in the web servers running program space, and is executed by the target system. The Code Red worm can then do it's job to continue to seek and replicate itself. Code Red of course only can affect unpatched vulnerable IIS servers. Of course, there have been plenty of buffer overflows identified in Linux based applications, Microsoft-based systems are just a bigger (and presumably more lucrative) target. Most program development projects actively check their code for the possibility of buffer-overflows - hopefully they find the holes before potential attackers do. There is also work being done on various hardware and software architectures that limit the ability of unauthorised code to execute on a platform. For the average user, provided you limit your internet facing profile using a firewall configured to only let necessary traffic in , and are vigilant in patching your systems, you are as safe as you can be. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Lowndes Sent: Thursday, 7 April 2005 7:30 AM To: Phill Cc: slug@slug.org.au Subject: Re: FW: [SLUG] Possible hacker Attempt Phill wrote: > I am also curious. How does this attack work? I understand the idea of > filling up a buffer with junk but then.... As Gottfried said, on Linux it doesn't work, but on IIS it causes a buffer overflow which then allows uncontrolled access for the exploit - or something like that - I don't pay btoo much attention to Microsoft type problems. > > Regards, > Phill > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Gottfried Szing > Sent: Thursday, 7 April 2005 1:39 AM > To: slug@slug.org.au > Subject: Re: [SLUG] Possible hacker Attempt > > hi > > >>"GET /default.ida?X...(lots of X's)...X >> > > %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u > >>9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > > HTTP/1.0" > >>404 300 "-" "-" > > > isn't that the code red worm? still in the wild? > > >>"SEARCH /\x90\x02\xb1\...... ("x02\xb1\" repeats hundreds of times) >>.........\ x02\xb1\x90\...(repeats hundreds of >>times)...\x90\x90\x90\x90\x90\x90" 414 341 "-" "-" > > > AFAIR this is an request that uses an exploit of the IIS and webdav > component (unchecked buffer). > > but as long as you don't have IIS and windows running, nothing to fear > about. both attacks works with IIS only and can be ignored on apache. they > are just annoying (messing up the logs) but they cannot compromise the > system. > > cu > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Howard. LANNet Computing Associates - Your Linux people <http://lannet.com.au> -- When you just want a system that works, you choose Linux; When you want a system that just works, you choose Microsoft. -- Flatter government, not fatter government; Get rid of the Australian states. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
smime.p7s
Description: S/MIME cryptographic signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html