Computer Security and Penetration

Testing

Chapter 10
Trojan Horses
 Objectives
• Outline the evolution of the Trojan horse
• Name ways in which Trojans are deployed
• Identify risks associated with Trojans

Computer Security and Penetration Testing 2

 Objectives (continued)
• Name some well-known Trojans
• List Trojan attack prevention measures
• List Trojan detection tools

Computer Security and Penetration Testing 3

 Trojan Horses

• Trojan horse
– Application that uses trickery to get a user to install it
– Circumvents safety measures inherent in an operating
system
• That might make it difficult for a covert installation to
operate

Computer Security and Penetration Testing 4

Computer Security and Penetration Testing 5
 Trojan Horses (continued)

• Typical functions for a Trojan might include

– Logging keystrokes, taking screen captures,
accessing files on local and shared drives, or acting
as a server where the client is the hacker
• Trojan horse applications are usually masqueraded
as games, utilities, or other useful applications
• At this time, Trojans are not able to reproduce
themselves like viruses or worms

Computer Security and Penetration Testing 6

 Workings of Trojans

• For Trojans to be a threat

– They must be installed by the user and activated

Computer Security and Penetration Testing 7

 Installation

• Distribution vectors:
– E-mail attachments
– Scripts in HTML e-mails
– Files on FTP servers
– Scripts on spoofed Web sites
– Scripts on hacked legitimate Web sites
– Download opportunities on Web sites
– Files offered on bulletin boards and forums
– Social engineering

Computer Security and Penetration Testing 8

 Installation (continued)

• Recent Trojan attacks have come disguised as a

patch or package
• Always validate the checksum that legitimate
download sites provide

Computer Security and Penetration Testing 9

 Functions of a Trojan

• BO2K is a Trojan horse designed and used to make

a horde of zombies
– To do the hacker’s bidding
• Zombies are machines that have been
unobtrusively “owned” by a hacker
• When a machine is 0wned, the hacker can back
door into it at any time
– And perform actions from that machine as if she were
sitting at its keyboard

Computer Security and Penetration Testing 10

 Functions of a Trojan (continued)

• Tasks performed by Trojans include:

– Sending and receiving files
– Viewing cached passwords
– Restarting the system
– Launching processes
– Modifying files
– Sharing files
– Modifying the registry keys

Computer Security and Penetration Testing 11

 Famous Trojans

• This section describes the following Trojans:

– PC-Write
– AIDS
– Back Orifice
– Pretty Park
– NetBus, SubSeven
– BO2K

Computer Security and Penetration Testing 12

 PC-Write (1986)

• First known Trojan horse

• Masqueraded as version 2.72 of the shareware
word processor PC-Write by Quicksoft
• Wiped out the user’s FAT (file allocation table) and
formatted the hard drive
• Was really a simple batch-file command, encoded
as a binary .exe file

Computer Security and Penetration Testing 13

 AIDS.exe/PC Cyborg (1989)
• Distributed through the postal mail in 1989
• Allegedly contained information about AIDS and HIV
• Actual payload was aids.exe, which would encrypt
the hard drive
– Prompted the user to pay a fee for the password
needed to decrypt the hard drive

Computer Security and Penetration Testing 14

 Back Orifice (1998)
• A remote administration server
– Allows system administrators to control a computer
from a remote location
• Designed by a group called the Cult of the Dead
Cow
• Once installed, the server is intentionally difficult to
detect
– And it allows almost complete control over your
computer by the remote attacker

Computer Security and Penetration Testing 15

 Pretty Park (1999)
• The first Trojan to use a worm to propagate itself
• Once installed, this application would attempt to mail
itself to anyone in your address book
• When PrettyPark.exe is executed, it may display the
3D pipe screen saver
– And tries to connect to an IRC server and join a
specific IRC channel

Computer Security and Penetration Testing 16

 Pretty Park (1999) (continued)
• Pretty Park sends information to a pre-specified IRC
every 30 seconds
– Author or distributor of the worm can access
information on your system

Computer Security and Penetration Testing 17

 NetBus (2001)
• Written by Carl-Frederik Neikter
• Allows anyone running the client portion (the
attacker) to connect
– And control the server portion of the target computer
– Using the same rights and privileges of the current
user

Computer Security and Penetration Testing 18

 NetBus (2001) (continued)

Computer Security and Penetration Testing 19

 SubSeven (1999)
• Enables unauthorized people to access your
computer over the Internet without your knowledge
• Used a forged e-mail from Symantec to propagate
itself

Computer Security and Penetration Testing 20

 BO2K
• Possibly “gone legitimate” as an open source project
• Back Orifice 2000 is an interesting combination of
fair and foul
– And is appealing as a concept for a network
administrator with at-risk remote users
• BO2K software allows you to use infected machines
like a string of proxy servers
• Lets you set notifiers on the infected machines
– Any client that wants to can log into your infected box

Computer Security and Penetration Testing 21

 Detection and Prevention of Trojans
• The best way to deal with Trojans is to never get one
– Never open an unverified executable file
– Never accept attachments that are not expected
– Never allow anybody on your network to operate with
root or administrator privileges
– Make sure the standard user does not have permission
to load or install programs
– Install a software firewall

Computer Security and Penetration Testing 22

 Detection and Prevention of Trojans
(continued)
• Object reconciliation
– A widely used method that detects Trojans
– Means “verification that things are the same”
• Can perform any or all of the following checks
– Date and time
– Size
– Checksum

Computer Security and Penetration Testing 23

 Detection and Prevention of Trojans
(continued)
• Other methods for detecting Trojans
– Compare your system binaries to the original install
files from your installation media
– Check the backup files for Trojan programs
– Use the Message-Digest algorithm 5 (MD5), Tripwire,
and other cryptographic checksum tools
– Check for unauthorized services
– Check and examine legitimate services that you have
commented out with # in /etc/inetd.conf or
/etc/xinetd.conf

Computer Security and Penetration Testing 24

Computer Security and Penetration Testing 25
 Detection and Prevention of Trojans
(continued)
• Detecting Trojan Horses
• Tripwire Enterprise
• MDS
• Spybot Search & Destroy
• VirusBlokAda
• GMER
• MetaSploit
• Trojan Remover
• McAfee, Norton, Symantec
• Distributing Trojans

Computer Security and Penetration Testing 26

 Summary
• Trojan horses use trickery to entice the user to install
them
• To be a threat, Trojans must be installed by the user
and activated
• Trojans act as remote administrative tools, and can
be written to perform almost any task that a legitimate
user can perform
• There are several distribution vectors in common
use, including e-mail attachments

Computer Security and Penetration Testing 27

 Summary (continued)
• Trojans can have many functions, such as logging
keystrokes, taking screen captures, accessing files on
local and shared drives, acting as a server, sending
and receiving files, viewing cached passwords,
restarting the system, launching processes, modifying
and sharing files, and modifying registry keys
• The first known Trojan horse was a fake version of
PC-Write, developed in 1986

Computer Security and Penetration Testing 28

 Summary (continued)
• Famous Trojans include PC-Write, AIDS, Back
Orifice, Pretty Park, NetBus, SubSeven, and BO2K
• To prevent receiving a Trojan, never open an
executable file that you have not verified
– Or open unexpected attachments
• Trojans can be detected by various means, including
software firewalls, IDS systems, some antivirus
software, commercial programs, object reconciliation,
and registry checkers

Computer Security and Penetration Testing 29

Computer Security and Penetration
Testing

Chapter 11
Denial-of-Service Attacks
 Objectives

Define a denial-of-service (DoS) attack

Describe causes of DoS attacks

Describe several varieties of DoS attacks

Computer Security and Penetration Testing 31

 Objectives (continued)

Define a distributed denial-of-service (DDoS) attack

Discuss some known DoS and DDoS attacks

Describe ways to prevent DoS and DDoS attacks

Computer Security and Penetration Testing 32

 Causes of DoS Attacks


Some major network defects and vulnerabilities

Vulnerability of the network architecture

Vulnerability of a specific server system architecture (Intel
x86, AMD Opteron, etc.)

Defects and bugs in the operating system or software

Holes present within system security

Some vulnerabilities cannot be closed by patching

Because there is an inherent bandwidth limit

Computer Security and Penetration Testing 33

 Causes of DoS Attacks (continued)

Computer Security and Penetration Testing 34

 Types of DoS Attacks


See Figure 11-1

X axis = Flood attacks or software attacks

Y axis = Isolated attacks or distributed attacks

Z axis =Voluntary or involuntary, on the part of the systems
administrator

Computer Security and Penetration Testing 35

 Types of DoS Attacks (continued)

Preventable DoS: It’s attack may occur when the system
administrator has designed a network or application-level
system to perform a variety of services.

Non-Preventable DoS: it’s an attach which the system
administrator could not have been expected to anticipate or
prepare for.

Computer Security and Penetration Testing 36

 Flood Attacks

Consume the limited resources of a computer or a network

By transmitting a large number of packets as quickly as
possible

A flood attack can occur under the following conditions:

Sending connection requests

Consuming the bandwidth

Using your own resources

Consuming others’ resources

Computer Security and Penetration Testing 37

 Flood Attacks (continued)


Sending Connection Requests

Target or victim receives a large quantity of connection
requests

Attacker is probably using a spoofed IP address

Consuming Bandwidth

All of a network’s available bandwidth is consumed by
sending a large number of packets

Computer Security and Penetration Testing 38

Computer Security and Penetration Testing 39
 Flood Attacks (continued)


Using Your Own Resources

Hacker uses forged UDP packets to connect the echo service
on one computer

To a service on another computer

Response for this packet will automatically be sent to the
computer whose IP address the hacker is using

Computer Security and Penetration Testing 40

Computer Security and Penetration Testing 41
 Flood Attacks (continued)


Consuming Other’s Resources

Hacker may be able to consume data structures

Simply writing a program or a script that replicates itself

Hackers also attempt to consume disk space

By using any feature that allows data to be written to a
system’s hard disk

Hacker may be able to lock an account by executing a certain
number of failed attempts to log in

Computer Security and Penetration Testing 42

 Software Attacks


Exploit the existing software weaknesses

Effect is either degraded performance or crashes on the victim
server

Hackers generate a small number of carefully malformed
packets to exploit known software bugs

Bugs allow hackers to change or damage configuration files

Computer Security and Penetration Testing 43

 Software Attacks (continued)


Ping of Death

A historical DoS attack in which the hacker uses the Ping
utility to acquire access to a system

Hacker sends a packet larger than 64 KB to the target
computer

Target system may crash or restart

Most legitimate Ping utilities do not allow you to send a ping
of more than 64 KB

You can use Apsend to send an oversized packet

Computer Security and Penetration Testing 44

 Software Attacks (continued)

Computer Security and Penetration Testing 45

 Software Attacks (continued)


Ping of Death (continued)

You can block pings on your firewall

Almost all operating systems have been patched to deflect
this attack

DNS Service Attack

Domain Name Service (DNS)

Database that maps domain names to IP addresses

Two kinds of attacks are related to the DNS service: DNS
spoofing and DNS overflow

Computer Security and Penetration Testing 46

 Software Attacks (continued)

DNS Service Attack

DNS Spoofing

Users or customers may be redirected to Web sites other
than their intended destination

Should not be confused with phishing

May lead to customers giving their account information to
hackers

DNS Overflows

May happen when there is a failure to check and verify the
length of the host name

Could be used to gain superuser access to the system
Computer Security and Penetration Testing 47
Computer Security and Penetration Testing 48
 Software Attacks (continued)


Other software attacks include

Teardrop

Land

Charge

Computer Security and Penetration Testing 49

 Isolated Attacks


Comes from a single source

It is easily countered by blocking traffic from that source

Computer Security and Penetration Testing 50

 Distributed Attacks


Come from multiple concurrent sources

Much more difficult to block with ACLs or firewall rules

Distributed denial-of-service, or DDoS, attack

Depends on the hacker’s ability to compromise information
on a large number of systems

May require hundreds or thousands of compromised hosts to
make a DDoS attack successful

Special tools used to attack a computer

Computer Security and Penetration Testing 51

Computer Security and Penetration Testing 52
 Distributed Attacks (continued)


The process of DDoS is fully automated

DDoS attack occurs in the following sequence:

Hacker identifies vulnerable hosts (100 or more)

Hacker gets access to these hosts after they are compromised

Hacker installs the tool needed to attack each host

Hacker uses the compromised hosts for future attacks

Computer Security and Penetration Testing 53

 Known DoS Attacks

Some known flood attacks are TCP SYN, SMURF, and Fraggle

Denial of Service Database

At http://attrition.org/security/denial/

Has over 360 known DoS (and Ddos) exploits used on
different targets

Computer Security and Penetration Testing 54

 TCP SYN

TCP SYN attack

Client and server exchange a sequence of messages after
establishing a TCP connection

Uses the familiar three-way handshake of TCP

Attacker establishes many half-connection

Data structure in memory that holds all the pending half-
connections increases in size

Hacker only has to use the IP spoofing technique to send excess
SYN requests to the server

Computer Security and Penetration Testing 55

Computer Security and Penetration Testing 56
 SMURF

ICMP is used to handle errors and exchange control messages
on a network

ICMP process is executed using the ping command

Computer Security and Penetration Testing 57

 SMURF (continued)

Main components involved in a SMURF attack

Hacker, packet amplifiers or intermediate devices, and the
target computer

Recently, automated tools have been developed

That enable hackers to send these attacks simultaneously to
several intermediaries

Computer Security and Penetration Testing 58

Computer Security and Penetration Testing 59
 Fraggle

Fraggle attacks are like SMURF DoS attacks

But use UDP packets

Attacker uses a spoofed IP address to broadcast hundreds of
UDP packets across a network

Intermediate devices reply to the victim computer by sending
hundreds of UDP echo reply packets

Best possible result is a system crash

At the very least, the attack will produce excess network
traffic

Computer Security and Penetration Testing 60

 Known DDoS Attacks

DDoS tools use distributed technology to generate a large
network of hosts

Hosts can attack thousands of computers via packet flooding

Tools that can be used for DDoS attacks are Trinoo, Tribe flood
network (TFN), and Botnets

Computer Security and Penetration Testing 61

 Trinoo

Distributed tool used to initialize coordinated UDP flood DoS
attacks from multiple sources

Trinoo network consists of a minute quantity of servers and a
large number of clients

Hacker computer is connected to a Trinoo master computer in a
DoS attack utilizing a Trinoo network

Hacker computer instructs the master computer to begin DoS
attacks

Against one or more IP addresses

Computer Security and Penetration Testing 62

 TFN

Used to launch coordinated DoS flood attacks from multiple
sources

TFN has the capability to create packets with spoofed source IP
addresses

TFN network can generate DoS attacks such as:

UDP flood attacks

TCP SYN flood

ICMP echo request flood

ICMP directed broadcast

TFN follows the same principle as Trinoo

Computer Security and Penetration Testing 63

 Botnets

Botnets

A variety of software DDoS

A bot is a program that surreptitiously installs itself on a
computer so it can be controlled by a hacker

A botnet is a network of robot, or zombie, computers

Can harness their collective power to do damage

Or send out huge amounts of junk e-mail

Computer Security and Penetration Testing 64

 Prevention and Mitigation of DoS and
DDoS Attacks

Network administrators can use packet filtering on the IP
routers to give basic access control

This often slows router performance to an unacceptable point

Computer Security and Penetration Testing 65

 Prevention Methods

Network Address Translation (NAT)

Prevents DoS by

Refusing network traffic from specific TCP ports

Limiting the network traffic coming from specific network
addresses

Scanning the network traffic for viruses or undesirable
applications

Solutions were designed to prevent DoS attacks on LANs and
subnet systems

Not meant for a Web environment

Computer Security and Penetration Testing 66

 Prevention Methods (continued)

Cisco CSS 11000 series switches give comprehensive Web site
and server-system security

Switches provide site-level safety as follows:

DoS attack prevention

Firewall security

NAT

Load-balancing

Computer Security and Penetration Testing 67

 Prevention Methods (continued)

Other preventive measures

Implement router filters or ingress filtering

Computers should constantly be updated with the relevant
security patches

Use intrusion-detection systems on networks containing Web
servers

Disable any unnecessary services on your system

If supported, enable quotas on the operating systems

Important to establish baselines for activities

Computer Security and Penetration Testing 68

 Prevention Methods (continued)

Measures for preventing DDoS attacks:

Filter all the RFC1918 address space by using access control
lists (ACLs)

Apply ingress and egress filtering using ACLs

Rate-limit ICMP packets, if they are configurable

Configure the rate limiting for SYN packets

Computer Security and Penetration Testing 69

 Mitigation of DoS and DDoS Attacks

Use a tool such as Tripwire

To detect changes in the configuration information or on
other files

Problem with mitigation of DoS attacks

Attacks are easily mistaken for a small spike in network
activity

Upon detecting an attack

Initiate blocking packets from the origin IP or to the victim

Computer Security and Penetration Testing 70

 Mitigation of DoS and DDoS Attacks
(continued)

Patch machines and applications

Stay current on new reports of DoS and DDoS attacks and
systems

Run an IDS system that alerts you when the network is
experiencing unusual traffic or activity

Computer Security and Penetration Testing 71

 Summary

A denial-of-service attack is any network event that restricts or
denies valid uses of a resource

DoS attacks are caused by

Vulnerability of the network architecture

Vulnerability of a specific server system architecture

Defects and bugs in the operating system or software

Holes present within system security

Three main groupings of DoS attacks: voluntary and involuntary
attacks; flood and software attacks; and isolated and distributed
attacks

Computer Security and Penetration Testing 72

 Summary (continued)

Known DoS attacks: TCP SYN, SMURF, and Fraggle

DDoS attack tools include Trinoo, TFN, and Botnets

Methods of prevention for DoS attacks include

Using Cisco CSS Web switches

Implementing router filters or ingress filtering

Constantly updating computers

Monitoring the network to identify attack tools

Disabling unnecessary system services

Enabling quotas on the operating system

Computer Security and Penetration Testing 73

 Summary (continued)

Methods of prevention for DDoS attacks include

Filtering all the RFC1918 address space by using access control
lists (ACLs)

Applying ingress and egress filtering using ACLs

Rate-limiting ICMP packets if they are configurable

Configuring the rate limiting for SYN packets

Attempting to mitigate DoS and DDoS attacks can end up
causing more harm than an actual attack

Computer Security and Penetration Testing 74

Computer Security and Penetration
Testing

Chapter 12
Buffer Overflows
 Objectives

Describe buffer overflow

List types of buffer overflows

Identify techniques used to cause a buffer overflow

Comprehend techniques used to detect buffer overflow
conditions

Understand methods used in preventing buffer overflows

Computer Security and Penetration Testing 76

 Buffer Overflows


Buffer overflow

Condition common to structured programming languages
such as the “C” language

Happens when input applied to a variable is larger than the
memory allotted to that variable

When an attacker sends input in excess of the expected range of
the value

The target system will either crash or execute the malicious
code sent by the attacker

Computer Security and Penetration Testing 77

 Standard Execution of a C program

• main function

Entry point to the detailed code in the application

Responsible for calling other functions

Each of which executes a particular task, and may call other
functions in turn

Functions use variables to store values that may be stored
temporarily or permanently

Once a function has completed, the program control returns to
the calling or invoking function

Computer Security and Penetration Testing 78

 Standard Execution of a C program
(continued)

Buffer overflow bug targets the variables that are used by
functions to store values

Variables are assigned a fixed memory space to store the data

Buffer overflow has a goal of overloading the memory space
provided to the variable

Extra characters are stored in a memory space that is not
assigned to the variable

Computer Security and Penetration Testing 79

Computer Security and Penetration Testing 80
 Standard Execution of a C program
(continued)

Function with an overloaded variable is not able to determine
the function that called it

Could result in the crashing of the program

Hackers are able to manipulate the value provided to the
variable

So it is stored in a specific memory space to execute some
predetermined malicious code

Buffer overflows are not always intentional attacks

Computer Security and Penetration Testing 81

 Standard Execution of a C program
(continued)

Avoiding buffer overflows

Check to see that no value greater than the memory assigned
to the variable is specified for it

Define the sequence of steps that the program has to follow in
case of a buffer overflow

Executable space protection

On some specific operating systems, the kernel can be
patched in such a way that running processes are not affected
by buffer overflow conditions

Computer Security and Penetration Testing 82

 Types of Buffer Overflows


Buffer overflows can be divided into two categories: stack
overflow and heap overflow

Computer Security and Penetration Testing 83

 Stack Overflow


Programs use a memory stack area to store values for variables

Stack is intended to ensure that there is sufficient memory
space for all functions to operate

Occasionally the stack is insufficient to complete the functions
and an error is generated

Stack stores details regarding the function that called the
currently executing function

Information can be lost after the stack is corrupted

Computer Security and Penetration Testing 84

 Stack Overflow (continued)

Hackers write the code for a buffer overflow in such a manner
that

The code to which a function’s pointers are indicating is code
of the hacker’s choosing

Process of an exploit

Hacker searches for a chance to overflow the buffer

Hacker determines memory assigned to the variable

Hacker specifies a value greater than the maximum capacity
of the variable

Variable takes the value

Computer Security and Penetration Testing 85

 Stack Overflow (continued)

Hacker checks for some specific functions to ascertain the
possibility of a buffer overflow
– strcpy
– scanf
– fgets
– wstrcpy
– wstrncat
– sprintf
– gets
– strcat

Computer Security and Penetration Testing 86

 Heap Overflows


A heap is similar to a stack

Provides memory to the application various functions

Provides a permanent memory space

Data stored in a heap can be used throughout various functions
and commands

A heap is randomly accessed because it stores values statically

Size of a heap usually grows as new variables’ values are
introduced

Computer Security and Penetration Testing 87

 Heap Overflows (continued)

Computer Security and Penetration Testing 88

Computer Security and Penetration Testing 89
 Heap Overflows (continued)


Heap overflow is known as the corruption of the instruction
pointer

Instruction pointer points to the memory area where the
function to be executed is stored

Computer Security and Penetration Testing 90

 More Methods for Causing a Buffer
Overflow

Traditional methods include

Providing input values that are greater than the memory
allocated for a variable

This section details two other methods:

Character-set decoding

Nybble-to-byte compression

Computer Security and Penetration Testing 91

 Character-Set Decoding


Uses the characters that are read differently by the computer
and acquire larger space

Additional bytes of data may cause the input value to exceed
the memory limitation of the variable

Applicable to situations in which the user specifies a value
from an HTML page

Becomes a weakness whenever a back-end script reads the code

And, after expanding the value, results in a buffer overflow

Computer Security and Penetration Testing 92

 Character-Set Decoding (continued)

Computer Security and Penetration Testing 93

Computer Security and Penetration Testing 94
 Character-Set Decoding (continued)


Size of the stack is computer-dependent

Buffer overflow may not happen until a value that exceeds the
stack size is specified

Buffer overflow may occur when verification for the length of
the input value is made at the client-side

And the back-end script accepts it without performing checks

Double validation

Indicates to potential hackers that buffer overflow exploits are
not possible on your Web site

Computer Security and Penetration Testing 95

 Character-Set Decoding (continued)

Computer Security and Penetration Testing 96

 Nybble-to-Byte Compression


Compression of data that is passed as input value to variables of
the function that might be overflowed

Method uses the buffer in a more efficient manner with a higher
amount of data

Focus is to minimize code size

So hackers can double the amount of code in buffer

Computer Security and Penetration Testing 97

 Buffer Overflows: Detection and
Prevention

Identify programming practices and functions that are
potentially vulnerable to buffer overflow

Computer Security and Penetration Testing 98

 Detecting Buffer Overflow


Identify the functions and variables that can lead to buffer
overflows

Check the reaction of the application whenever a large set of
character data is supplied to a variable

Function may include length verification

And thus return an error message if the data exceeds the
expected size

Can be a painstaking, tedious process

Because all variables that accept values must be checked

Computer Security and Penetration Testing 99

 Detecting Buffer Overflow (continued)


Precaution should be taken to ensure that the input data is
provided in the correct format

For interactive Web pages

Consider that the hidden data is also a part of the input that is
given to the string

When specifying the input data

It is important to check that no NULL characters (empty
fields) are being passed

Computer Security and Penetration Testing 100

 Preventing Buffer Overflow


After a buffer overflow exploit has been detected

The probability of its existence in other applications by the
same vendor is higher

Bug is typically fixed by programming the functions to perform
an input validity check

Providing a null terminator will prevent the buffer overflow
even

If additional values have been specified

Computer Security and Penetration Testing 101

Preventing Buffer Overflow (continued)


Consider developing specific programming guideline policies
for your organization

Having, understanding, and applying secure-coding best
practices may not be entirely foolproof

Options are available to avoid the use of function calls that are
vulnerable to buffer overflows

Computer Security and Penetration Testing 102

Preventing Buffer Overflow (continued)

Computer Security and Penetration Testing 103

Preventing Buffer Overflow (continued)


Checks must be made to validate the input values in both the
new and old applications

Software can be installed to keep a continuous check on a
buffer overflow condition

Software must be updated with all available security patches

Computer Security and Penetration Testing 104

 Summary

Buffer overflow

Common in structured programming languages

Happens when input applied to a variable is larger than the
memory allotted to that variable

Buffer overflow bug targets the variables that are used by
functions to store values

Best ways to avoid buffer overflow are programmatic

Two main categories of buffer overflow: stack overflow and
heap overflow

Computer Security and Penetration Testing 105

 Summary (continued)

Three steps in traditional process of buffer overflow:

Hacker searches for a chance to overflow the buffer

Hacker determines memory assigned to the variable

Hacker specifies a value greater than the maximum capacity of
the variable

Two less-traditional methods

Character-set decoding

Nybble-to-byte compression

Computer Security and Penetration Testing 106

 Summary (continued)

To identify the functions and variables that can lead to buffer
overflow, the reaction of the application has to be checked

If a buffer overflow exploit has been detected, the probability of
its existence in other applications by the same vendor is high

Buffer overflow can be prevented by programming the functions
to perform an input validity check

Computer Security and Penetration Testing 107