July 22nd, 2003 04:13 AM
MSN buffer overflow or DoS?
I was searching around for socks5 servers originally when i came across this:
Now, who ever wrote this i dont feel wrote it well, and im sure most of you know the theory behind a buffer overflow, but for those of you that dont i will be so kind as to get you up to speed real quick so that you might be able to fllow along better. A buffer overflow occurs when a program or process tries to store more data in a buffer than what was intended to hold, since buffers are usually ment to contain a finite amount of data the extra info goes into adjacent buffers, corrupting them or over writing them (hence a stack based buffer overflow, when a attacker sends a set of instructions to the victims computer to be executed in hopes of at a minimum obtaining a terminal winow to execute further commands on to esculate priv's)
So, with that out of the way I began to ask myself some questions after reading this article. Such as what kind of threat does this exploit serve? Under what circumstances would this exploit work?(I.E. what versions would be affected, would any other MS services have to be running, what versions of windows, etc, etc) And last, is this really a buffer overflow or a DoS, and i ask myself this because i am failing to see at what point this would gain an attacker any kind of the usuall objects of desire like i mentioned before, a command line. Also, i fail to see how such instructions that are crafted in packets in a typical buffer overflow exploit, could be inserted into a picture. Its is because of these questions that I am unsure weather this is actually a buffer overflow or a DoS, and i say DoS because one line of this article stood out to me:
now you have "uncompleted picture", to cause a buffer overflow send it to your friend several times (depend on the size of the picture) and it will cause a buffer overflow.
This statement sounds more like a DoS to me then a buffer overflow, but either way, this sounds to be a very very easily executed exploit, and if it works under a wide variety of circumstances it could possibley be dangerous just due to the fact that it is a very simple exploit. I plan on looking more into this and see if its just a bunch of BS or possibley a threat, and if so then i would like to find ways of prevention. What are you guys thinkin about all this?
Don\'t be a bitch! Use Slackware.
July 22nd, 2003 05:09 AM
a buffer overflow can cause allot of things or nothing. if one gets a shell i wouldnt call that the minimum. thats pretty up there on the scale it all depends on what is running in the adjacent memory (buffer) and how much space is left over for a payload after the buffer overflows, etc.. to acheive DoS with an overflow is somewhat of an accomplishment to find (not to do).
I guess what im trying to say is: A buffer overflow can cause a deprivation of service so they can be one and the same.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
July 22nd, 2003 04:18 PM
To my knowledge the difference between a buffer overflow and a DoS is a buffer overflow contains code that when the buffer overflows, a return address in the exploits code is returned to the stack instead of the call that was being executed. This return address executes a call to say an execv on a shell which, dependent on the privileges of the program that is being exploited, will give the attacker that programs privileges.
Whereas a DoS is simply an attacker sending more traffic to a given host than the data buffer can handle.
In effect a DoS is a generalisation of a buffer overflow.
As i said thats my understanding of the matter.
So in response to your query, i agree that this is a DoS
July 22nd, 2003 04:29 PM
From my understanding a buffer overflow is the general condition described, but a DoS can occur if the overflow crashes an important service or causes 100% CPU utilization.
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
July 22nd, 2003 05:56 PM
A Denial of Service attack merely means that an attacker has interfered or prevented legitimate usage of a service. This could be achieved in many ways such as flooding,resource hogging, crashing the daemon,or a buffer overflow(which may lead to crashing the service). In regards to this specfifc case the author did not detail exactly what it is that happens so it's hard to say whether its an exploitable exception or not, If your're really interested I suggest attaching a debugger to MSN and recreating the error. Its probably related to file size not macthing the size of the image in the header of the file, perhaps a specially crafted file could contain shellcode for a reverse shell. It all depends whether this is actually an overflow and whether it allows someone to control program flow and overwrite the stack.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
July 23rd, 2003 12:10 AM
Excellent response, Maestr0. You probably hit the nail on the head. I suspected what you did about file size. I read the referenced article and it is reminiscent of the problems caused by files with no EOF (End of File) tags in the old days. These would cause no end of problems on some systems.
I would be interested in hearing from anyone who works at patching buffer overflow issues with reference to what impact partial or unterminated files (as described in the referenced article) have on buffers and if there are ways to further protect against that.
July 23rd, 2003 12:53 AM
Bah, Dos is an operating system, and buffer overflows are things only programmers have to worry about when using operations in their code.
/me wakes up
Damnit another dream, nevermind.