This week, advisories were released for kde, phpsysinfo, fonts-xorg, gaim, phpBB, mozilla suite, PostgreSQL, FreeRADIUS, ncpfs, kdelibs, cyrus-imapd, rsh, glibc, ia32el, and the Red Hat kernel. The distributors include Conectiva, Debian, Fedora, Gentoo, and Red Hat.
Buffer Overflow Basics
By: Suhas Desai
A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Buffer overflows are a fertile source of bugs and malicious attacks. They occur when a program attempts to write data past the end of a buffer. A buffer is a contiguous allocated chunk of memory, such as an array or pointer in C. Limitation of C and C++ is there are no automatic bounds checking on the buffer where user can write past a buffer as given in example.
Note: All examples are compiled on Linux platform having x86 configuration.
int main ()
{
int buffer [10];
buffer[20]=10;
}
After execution of this program it won’t give errors but program attempts to write beyond the allocated memory for the buffer which results for unexpected output.
void function (char *str)
{
char buffer[16];
strcpy(buffer,str);
}
int main()
{
char *str=”I am greater than 16 bytes”;
function(str);
}
This program is guaranteed to cause unexpected behavior, because a string (str) of 27 bytes has been copied to a location (buffer) that has been allocated for only 16 bytes. The extra bytes run past the buffer and overwrite the space allocated for the FP, return address and so on. This corrupts the process stack. The function used to copy the string is strcpy, which completes no checking of bounds. Using strncpy would have prevented this corruption of the stack.
Example:
int main()
{
char buff[15]={0};
printf(“Enter your name:”);
scanf(buff,”%s”);
}
In this example, program reads a string from the standard input but does not check strings length. If the string has more than 14 characters, then it causes a buffer overflow as scanf() tries to write the remaining character past buff’s end.
Note: One character is always reserved for a null terminator.
The result is most likely a segmentation fault that crashes the program. In certain conditions, the users will receive a shell’s prompt after the crash. Even if the shell has restricted privileges, they can examine the values of environment variables; list the current directory files to detect the network with the pig command.
| Contectiva | ||
| Conectiva: kde Fixes for multiple KDE security vulnerabilities | ||
17th, May, 2005
|
||
| Debian | ||
| Debian: New phpsysinfo packages fix cross site scripting | ||
18th, May, 2005
|
||
| Fedora | ||
| Fedora Core 3 Update: fonts-xorg-6.8.2-0.FC3.1 | ||
16th, May, 2005
|
||
| Fedora Core 3 Update: squid-2.5.STABLE9-1.FC3.6 | ||
17th, May, 2005
|
||
| Gentoo | ||
| Gentoo: Gaim Denial of Service and buffer overflow vulnerabilties | ||
12th, May, 2005
|
||
| Gentoo: phpBB Cross-Site Scripting Vulnerability | ||
14th, May, 2005
|
||
| Gentoo: Mozilla Suite, Mozilla Firefox Remote compromise | ||
15th, May, 2005
|
||
| Gentoo: PostgreSQL Multiple vulnerabilities | ||
15th, May, 2005
|
||
| Gentoo: FreeRADIUS Buffer overflow and SQL injection vulnerability | ||
17th, May, 2005
|
||
| Red Hat | ||
| RedHat: Moderate: ncpfs security update | ||
17th, May, 2005
|
||
| RedHat: Important: kdelibs security update | ||
17th, May, 2005
|
||
| RedHat: Moderate: cyrus-imapd security update | ||
17th, May, 2005
|
||
| RedHat: Low: rsh security update | ||
18th, May, 2005
|
||
| RedHat: Low: openssh security update | ||
18th, May, 2005
|
||
| RedHat: Low: glibc security update | ||
18th, May, 2005
|
||
| RedHat: Low: ia32el security update | ||
18th, May, 2005
|
||
| RedHat: Updated kernel packages available for Red Hat | ||
18th, May, 2005
|
||