Principle: A bowl of water, look at a cup, the cup is not installed, we will say, the water overs. Therefore, overflow can be described in reality that when the liquid is poured into the container, it will cause overflowing when the container is limited. The overflow described in the hacker technology is basically the same. When a data exceeds the range of handler restrictions, the data will cause overflow. Generally, some systems may cause overflow without strict judgment on the received data. For some unoccupied operators, overflow will cause the process to report error or abnormally, not very serious things, some people are strange, Is an abnormality not serious? This is the actual situation, here we face multi-person shared service applications, usually a service process creates a child process to respond and serve when receiving a user request, if this sub-process has received some no particular meaning Exceeding the restrictions, usually terminates, while the parent process and other sub-processs are not affected, so the harm to the system is not great. However, if this packet is carefully constructed (see above, special character structure), then in the overflow point may be a well-planned code, so that the server's code is executed, and it is possible to control the system. The risk of overflow attacks is that most system designers cannot completely anticipate and prevent all kinds of possibilities of overflow attacks in the design, so that any service system with certain complexity has almost certainly suffering from overflow attacks. Only some have been found, some have not been discovered. From WU-FTP, Sendmail, IIS, QMAIL, to Apache, almost all world-wide network service systems that can lead to overflow attacks. And each vulnerability is extremely dangerous (can be controlled by the attacker to the service system), how is this danger? A program is executed, the code segment (the code segment here is usually not the source code written by the programmer, but the compilation and processing of assembly instructions) will be placed in memory, and the data processed by the code segment will also be placed in memory. , The usual data segment will be in front of the code segment, here is clear, the computer does not know who is the code, who is data, only 0 and 1, which is high and low. Usually, the data and code are unable, but if the data exceeds the restriction of the data segment, it takes up the location of the code segment, that is, if it is the data submitter unintentional, it is usually the code that cannot be executed, the child The crash of the process. But if it is well-constructed, it is possible to rewrite the execution command of the code segment (by assembly), so that the code segment (please remember this code segment is on the server's memory) to perform the operation of the attacker expect to execute, so Intrusioners can perform their own operations to be performed in the heart of the server, that is, control the entire system of the server (rather than a simple application service)!
Attack mode: 1. Test overflow point assume that we are constructed and transmitted for a service system, usually, the service system overflow error display and the display of the incorrect error is significantly different, and the prompt entry is generated by the service system program. Related information, and overflow prompt is the relevant information generated by the operating system. According to the difference in error information, experienced hackers can quickly determine whether the application system has overflow points, which is usually a program cycle execution, with each Length or format packets for testing, and compare the information returned by the system, by gradually refining the range, experienced hackers can measure the specific overflow points (that is, the critical point of the attack code can be placed, if you are wrong, even if you are wrong Location, it is impossible to be implemented by the system. This assembly in memory and the development tool writing program requires high requirements. The requirements are extremely high) 2. Construct attack code This is to see the purpose of the attacker. And attempt, there is no conclusion, but there are a few points to emphasize, the first is that the code format and specification must be exactly the same as the relevant assembly instructions of the attack system. The second is that the code ends should be clean, such as interrupt processes, if it is not clean And again with the code of the original system, the execution process may deviate from the attacker. 3. Control and intrusion If the relevant attack code loads the latter, open up a special Shell, then this attacker can easily enter and export the system to achieve more convenient control. Protection method: For the designer of the system, it is necessary to consider the invasion of too many places to avoid this way, actually so-called exceeding the limit, sometimes it is not necessarily more than the length, and a length marking bit may escape the length check. , Achieve overflow attack effect. For system maintenance, there is no way, only to see the latest issues of relevant security websites every day. Once confirmed and related to the service environment in your own system, you must go to the relevant site to download the patch, but also some Other methods can minimize attackers: First, unless they must be required, try to open it as little as possible. It means that less service is to let attackers lack channels with systems to communicate and data interaction with the system, reducing the possible possible possibility. Second, if it is a proprietary service, use IP shielding technology. If some services (such as Telnet, FTP) are only for limitedholdations, and the IP address of these people can use IP shielding methods to make other IP users unacceptable, such other IP addresses can not be able to perform data with the system. Interact. Third, if it is a limited-crowd service, you can use the way the service port is changed. For example, your FTP service is limited to some familiar friends, if they cannot fix the Internet environment (unable to provide IP shield), you can change the relevant service port And inform them, so that the existence of the service that cannot be discovered in most networks, the hacker who is lazy (not too much time to do full port scan) gives up entanglement to your site. Fourth, if you have special interest, you can use port camouflage technology, let hackers enter your circle, being confused by illusion, thus protecting your true service. This way you can also trace and analyze hackers' intrusion and attack behaviors.
Classic Case: If someone said, I controlled the world's 50% web server, you must think that he is crazy, and Apache Chunk segments overflow the release of the vulnerability, really let the sentence become the fact! Apache has always been a general period of liberals, shareholders, very few commercial companies, can catch up with Microsoft, will not lose market advantage, no matter what is apple (their window operating system, Windows predecessor) Netscape (easily defeated by IE), Borland (Borland C is later hosted by Visual C ), the only-only Oracle is also baked to the old second position, while a non-commercial organization Apache Web Server is able to stand up to Microsoft's IIS for many years, keeping a proportion of more than 50% of the global usage rate of the application server, and even many people use Apache on the Windows host (they usually have a heart that is bloated by IIS vulnerability It's awkward), this is not a miracle, in the era of IIS thousands of holes, although Apache also has a famous vulnerability such as phf.cgi, nph-test.cgi, but still stays on the attached supporting software, It has never been too out of the problem, but also praised global users, but this time, Micro $ OFT fans can finally grow up, "Take a look, dare to apache also has this abortion." Bug origin is such that the Apache supports the support of Chunk data segmentation, but since insufficient signed awareness, the segmentation data packets that the attacker carefully constructed can cause memory allocation after escaping overflow! Thereby performing an attacker's carefully constructed code. The category involves the vast majority of the Apache, which is equivalent to the world's more than 50% of Web Server! It is similar to that of the previous sendmail versions of all versions of all overflows (I am now Seeing Senmail is afraid), a few global popular FTP software have repeatedly complement the overflow vulnerability. Even some routing equipment, and even firewalls, often exposed the same problem, it is really difficult.
Summary: The overflow attack method is characterized by sufficient technology, there is sufficient understanding and analysis on the system, and the control of the system can be obtained through the overflow attack, which can achieve the highest goal of attack, and this process does not need to depend on At the cipher, sniffing, listening, etc., no need for any non-technical means and scams, in fact, if it is possible to successfully implement an overflow attack, even if it faces a known vulnerability, there is no special foolified In the case of tool, it is also necessary to have a very high system awareness and low-level programming quality. Some deep old hackers are happy to do this without thinking, it is very reasonable.
The overflow attack method, so that the previous article is still a special character structure, the difference is that its attack is not simply a programming problem for the application itself, but more enters the system level, including The allocation of memory segments, specifications for compilation under different systems, and the packets of the protocol layer, which are not involved in other special character construction laws. Printable overflow attacks and can conduct problems through this field, is the most likely to let the world network management are scared.
