The Security Breach
A buffer overrun occurs when a malicious user exploits an unchecked buffer in a program and overwrites the program code with new executable code of their choosing. The result? The malicious user has changed the program's operation, which is now controlled by the attacker. In a buffer overflow, the attacker floods a fieldsuch as a URL address bar or the input to a web server CGI application such as a formwith more characters than it can accommodate. These excess characters in can contain the executable code of an attacker, effectively giving him or her control of the user's computer.
Many of these scenarios can occur when using the Microsoft Internet Explorer, Mozilla, or Netscape browsers. All contain a buffer overflow vulnerability when handling embedded objects in HTML documents. Like the scenario described above, this vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page, downloads a file, or views an HTML email message. It could also allow local documents on a system to be viewed by a remote attacker. Sometimes the breach is in the form of a denial-of-service (DoS) attack that kills the application, and sometimes it can allow a remote or local user to gain administrative privileges on the vulnerable system.
The security breach resides primarily with the programmer who is careless when coding the software application. What usually happens is that a junior programmer makes space, upon request of a senior developer, for a certain number of characters in an input field, and doesn't check inside the code on what to do if the program is sent excess charactersthus opening the application to a buffer overrun and security breach. In some cases, programmers are not even checking the input to their applications.
Other breaches take advantage of the buffer overrun flaw in software applications:
Users of NullSoft's popular WinAmp player should upgrade to version 2.80 to avoid a vulnerability reported on the Bugtraq mailing list by Swedish security researcher Andreas Sandblad and confirmed by the company. The buffer overflow condition can be exploited, with some difficulty, by using the ID3v2 tag that contains information about the audio file, such as artist, title, images, and so on. It can also contain quite a bit more than that. Indeed, it can contain a separate file and can be as much as 256MB in total size.
A buffer overrun vulnerability is also involved in the operation of the chunked encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. An attacker who exploits this vulnerability could overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server.
A vulnerability in the parameter handling to the Flash OCX could lead to the execution of attacker-supplied code via email, web, or any other avenue in which Internet Explorer is used to display HTML that an attacker can supply. This includes software that uses the web browser ActiveX. All users of Internet Explorer are potentially affected, because this is a Macromedia-signed OCX.
A buffer overrun vulnerability in IIS 4.0, 5.0, and 5.1 results from an error in safety checks performed during server-side includes. In some cases, a user request for a web page is properly processed by including the file into an ASP script and processing it. Prior to processing the include request, IIS performs an operation on the user-specified filename, designed to ensure that the filename is valid and sized appropriately to fit in a static buffer. However, in some cases it could be possible to provide a bogus, extremely long filename in a way that would pass the safety check, thereby resulting in a buffer overrun.
Because these kinds of attacks enable anyone to take total control of a host, they represent one of the most serious classes of security threats.