2.7. Notable Vulnerabilities
This section describes examples of notable buffer overflow vulnerabilities resulting from incorrect string handling. Many well-known incidents, including the Morris worm and the W32.Blaster.Worm, were the result of buffer overflow vulnerabilities.
Many UNIX systems provide the rlogin program, which establishes a remote login session from its user’s terminal to a remote host computer. The rlogin program passes the user’s current terminal definition as defined by the TERM environment variable to the remote host computer. Many implementations of the rlogin program contained an unbounded string copy—copying the TERM environment variable into an array of 1,024 characters declared as a local stack variable. This buffer overflow can be exploited to smash the stack and execute arbitrary code with root privileges.
CERT Advisory CA-1997-06, “Vulnerability in rlogin/term,” released on February 6, 1997, describes this issue.2 Larry Rogers provides an in-depth description of the rlogin buffer overflow vulnerability [Rogers 1998].
Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.3
A vulnerability exists in the Kerberos 4 compatibility code contained within the MIT Kerberos 5 source distributions. This vulnerability allows a buffer overflow in the krb_rd_req() function, which is used by all Kerberos-authenticated services that use Kerberos 4 for authentication. This vulnerability is described further in the following:
- “Buffer Overrun Vulnerabilities in Kerberos,” http://web.mit.edu/kerberos/www/advisories/krb4buf.txt
- CERT Advisory CA-2000-06, “Multiple Buffer Overflows in Kerberos Authenticated Services,” www.cert.org/advisories/CA-2000-06.html
It is possible for an attacker to gain root access over the network by exploiting this vulnerability. This vulnerability is notable not only because of the severity and impact but also because it represents the all-too-common case of vulnerabilities appearing in products that are supposed to improve the security of a system.