Everhart, Glenn From: Russ [Russ.Cooper@RC.ON.CA] Sent: Saturday, July 25, 1998 9:28 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Buffer overflows on NT - what is the risk? Moderators note: Given the number of responses to Roy's message, I have summarized them here; ------------------------------------------------------------ From: "Phil Brass" Buffer overflows have been exploited, publicly (on this list I believe), by the l0pht people. They demonstrated how to exploit a buffer-overflow in Internet Explorer when browsing to a specific malformed URL. The exploit downloaded a file and ran it, unbeknownst to the user. Phil ------------------------------------------------------------ From: Adam Shostack Ezekial Morrow posted the construction of a buffer overflow for SLmail here July 9th. Dildog of the l0pht has a paper entitled 'The Tao of Windows buffer overflows.' Were I a cynic, I would suggest that the fact that buffer overflows are known to be in use on unix systems has more to do with proper logging and IDS tools than the difficulty of writing effective windows buffer overflows. In a less cynical mood, I'd suggest that the interesting access via NBT sessions, various RPC things, and other means of access are more popular because they're easier than writing a new bo. On unix, we've got that sort of side access mostly tied down. Adam ------------------------------------------------------------ From: Paul Leach The source for many Unix services is available, and buffer overruns are reasonably easy to detect by inspection of the source (even by an automated inspection). Since NT source isn't, even assuming it had as many buffer overrun bugs (and I make no statement one way or other on that point), fewer would get exploited. On the flip side, fewer good guys look over the source to try and weed out the problems before they happen. Other than that, I think they pose the same potential risk on either platform. From: "Holbrook, Charles J." As far as I can tell it can be exploited. cDc wrote a nice little article as well as source code of how to do this. http://www.cultdeadcow.com/cDc_files/cDc-351/ ------------------------------------------------------------ From: "Adam Maloney" The difference here is that many unix buffer overflows drop you to root, and that can't really be done on NT. What's more fun to Joe Hax0r? Dropping an NT box (heck anyone can do that), or "w00ting" the mighty unix... -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Adam Maloney Systems Administrator Internet Exposure -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------------------------------------ From: Ervin Fried no and yes. for some explanations and ideea read: http://www.cultdeadcow.com/cDc_files/cDc-351/ also, read the ntbugtraq post: subject: SLMail 3.0.2421 Stack Overflow... from: Ezekial Morrow date: Wed, 8 Jul 1998 17:32:02 PDT ------------------------------------------------------------ From: Alex Belits Buffer overflows on Unix and NT are equally dangerous and exploitable, however people who write and use exploits of this kind are currently disinterested in NT ones. As a lot of attempts to overcome the problem for insecurely written code have shown, it's relatively easy to make buffer overflows less likely to succeed at the expense of significant slowdown of program when it runs normally (change the compiler to modify function call and return code), and it's possible to eliminate most commonly used version of buffer overflow by introducing incompatibility with existing compiled code (change OS to make stack nonexecutable). AFAIK neither of two things was done in NT, and both of them still allow denial of service in all cases (program crashes and should be restarted, some data in crashed program's memory is overwritten before crash is detected), and successful exploits still are possible after both with more complex technique. -- Alex ------------------------------------------------------------ From: Paul Vilevac Roy, In short, a buffer overflow on an NT box can be exploited to execute any arbitrary commands. Take a moment or ten to read over DilDog of the Cult of the Dead Cow's impressive "The Tao of Windows Buffer Overflow" at http://www.cultdeadcow.com/cDc_files/cDc-351/ for further information. NT is not Unix, it tries but it's its own thing. Paul (Not affiliated with or a member of the cDc.) (On site) ------------------------------------------------------------ From: Weld Pond There have been several buffer overflows that have been exploited in the Internet Explorer posse of applications. DilDog cut his teeth working with a few in IE 3 and IE 4. He then documented his techniques for exploiting a buffer overflow in NetMeeting in the seminal "The Tao of Windows Buffer Overflow" which is available at http://www.cultdeadcow.com/cDc_files/cDc-351/ Buffer overflows are a little harder to exploit in windows but using the code in "The Tao" should get you up to speed quickly. He talks about techniques for getting the overflow code to download a file over the net and then exec it. Back Orifice, which will be released at DefCon, is the perfect file to download and exec from a buffer overflow if you want to completely compromise a machine. Weld Pond - weld@l0pht.com - http://www.l0pht.com/~weld L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio ------------------------------------------------------------ From: Crispin Cowan Absolutely stack smashes are a security vulnerability on NT. I have attached two different security alerts for MS Internet Explorer. In at least one of them, a hostile web page can seize control of your browser on both Win95 and NT. Crispin ----- ------------------------------------------------------------ From: Gilad Ben-Yossef hmpf.. Well I need to administer from a far a certain NT machine. I am the legitimate administrator of the machine, and have the Admin account but even as such I am having trouble making some changes to the machine configuration from afar over the Net, let alone perform any software upgrades. Need I say I can't really run an arbitrary program from a far (don't remind me of remote console service, i am still trying to forget it ;-) Taking this into account, what do you excpect a cracker to do? The buffer overflow lets him run arbitrary code as privileged user, but I am the most legit privileged user on the machine and still I have a problem performing certain tasks... Of course, on Unix the root user would have no problem to do these things (e.g. add an IP address) remotely, hence a cracker has the chance to do so too, if he finds a buffer overflow bug, but that really belongs to a different mailing list... ;-) Gilad Ben-Yossef gilad@benyossef.com ------------------------------------------------------------ From: "Neon Surge" NT Buffer Overflows have not 'publicly' been exploited because no one has stepped forward to say that it can be done. It really is that simple. NeonSurge The Rhino9 Security Research Team rhino9.ml.org ------------------------------------------------------------ From: Tracy R Reed They are potential remote access issues if someone can exploit them. NT does not seem to be nearly as flexible as Unix is, for better or worse. Unix is designed with the concepts of stdio, shells, etc. This makes it fairly easy to system off a shell in a buffer overflow and get it's input associated with the port or tty you are on. NT tends not to have such convenient abstractions. You have to jump through many ugly hoops to get NT to do anything useful in a buffer overflow exploit. I recently read a piece on how to do buffer overflows in win32, with source but I don't recall where. The author wasn't able to accomplish anything as handy as a shell though. -- Tracy Reed http://www.ultraviolet.org