LINUX TIPS AND TRICKS --- July 07, 2000

Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters

*********************************************************************

Avoiding Buffer Overflows
by Danny Kalev

Buffer overflows are a fertile source of bugs and malicious attacks.
They occur when a program attempts to write data past the end of a 
buffer. Consider this example:

    #include <stdio.h>
    int main()
    {
     char buff[15] = {0};  /*zero initialize all elements*/
     printf("enter your name: ");
     scanf(buff, "%s"); /*dangerous, length unchecked*/
    }

The program reads a string from the standard input (the keyboard). The 
problem is it doesn't check the string's length. If the string has more 
than 14 characters, it causes a buffer overflow as scanf() tries to 
write the remaining characters past buff's end (remember that one 
character is always reserved for a null terminator). The result is most 
likely a segmentation fault that crashes the program. In certain 
conditions, the users will receive a shell's prompt after the crash. 
Even if the shell has restricted privileges, they can examine the values 
of environment variables, list the current directory files or detect the 
network with the ping command.

That's not the worst thing that can happen, though. A more dangerous 
situation is when the program doesn't crash due to a buffer overflow. An 
expert who is familiar the system's internals can craft a string that is 
just long enough to overwrite the program's IP (instruction pointer, a 
pointer to the program's next instruction). If the last 4 bytes of such 
a string contain a valid memory address, the program's flow can be 
altered. Instead of executing the next instruction, the program will 
execute the code to which the new IP points. It might call another 
routine, skip code that performs security checks, etc. I will not go 
through the gory details here, but this isn't an unlikely scenario. Some 
famous break-ins are based on exploiting such buffer overflows. One 
well-documented example is the Red Hat 4.2 suiperl bug, which resulted 
from using the function sprintf() (see 
http://www.ryanspc.com/exploits/perl.txt for further information). What 
can you do to avert buffer overflows? Always check the bounds of an 
array before writing it to a buffer. If this is impossible (e.g., when 
the input is coming from a CGI script), use functions that limit the 
number of input characters. For instance, instead of using scanf(), use 
the fgets() function which reads characters up to a specified limit:

    int main()
    {
     char buff[15] = {0};
     fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/
    }

Additionally, the standard string functions have versions that take an 
explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf(), 
use strncpy(), strncmp(), and snprint(), respectively.


Resources

Help! I've lost my memory! 
Before you scream "Memory leak!" take a look at how  SunOS and Solaris 
handle your precious RAM.
http://www.sunworld.com/sunworldonline/swol-10-1995/swol-10-perf.html

How to detect a break-in 
Why worry? Because your site may be among the 98 out of 100 sites that 
fail to detect break-ins when they occur. Here is an exhaustive list of 
methods for break-in detection.
http://www.sunworld.com/sunworldonline/swol-07-1997/f_swol-07-security.html

************************************************************************

About the author
----------------
Danny Kalev is a system analyst and software engineer with more
than 10 years of experience, specializing in C++ and
object-oriented analysis and design on various platforms including
VMS, DOS, Windows, Unix, and Linux. His technical interests involve
code optimization, networking, and distributed computing. He is
also a member of the ANSI C++ standardization committee and the
author of ANSI/ISO C++ Professional Programmer's Handbook (Que,
1999). Contact him at linuxnl@excite.com.
 
*********************************************************************

CUSTOMER SERVICE

You can subscribe or unsubscribe to any of your e-mail newsletters by 
updating your form at: 
http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?

For subscription changes that cannot be handled via the web, please send 
an email to our customer service dept: support@itworld.com

*********************************************************************

CONTACTS

* For editorial comments, write Andrew Santosusso, Associate Editor, 
Newsletters at: andrew_santosusso@itworld.com
* For advertising information, write Dan Chupka, Account Executive at:
dan_chupka@itworld.com
* For all other inquiries, write Jodie Naze, Product Manager,
Newsletters at: jodie_naze@itworld.com

*********************************************************************

Copyright 2000 ITworld.com, Inc., All Rights Reserved. 

http://www.itworld.com
