07-21-2009, 02:54 AM
I want to understand stack overflows, and maybe get to grips with what a stack overflow in regex and perhaps other areas of perl and linux (and anything else) would be, where this can go on, how someone might make it happen on purpose (for I gather it is a mainstream method for hacking various software/systems).
My research is hampered by some "cool" mainstream technology media-site with the name "Stack Overflow" - I'm just jealous that I didn't get there first.
Stack overflows and salsa dip anyone? Or perhaps you'll just have doritos?
07-21-2009, 04:11 AM
read all you want:
07-21-2009, 01:55 PM
cheers, I shall get stuck in. I'm building security systems for myself, in case you are wondering... not planning to hack anyone.
My recent spate of programming self-training came about after Korean hackers came to my attention breaching my SSH (which I have naturally patched up now). There were hackers from about a dozen or so countries trying to do it - even now, after I have fixed it, there are more of the muthas coming in and trying it on, but they aren't getting anywhere and I'm successfully capturing lots of their IP addresses all the while.
My biggest concern is that I don't know what a stack overflow is although I gather from some bright people that it is a thing which hackers can use to send unwanted commands to my machine.
If the affected program is running with special privileges, or accepts data from untrusted network hosts (e.g. a webserver) then the bug is a potential security vulnerability. If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. This is one of the oldest and more reliable methods for black hats to gain unauthorized access to a computer.
07-21-2009, 07:50 PM
Well, I know what a stack overflow is only by reading about it. How a hacker can use a specific "tool" to hack a website or computer is not something I have any experience or knowledge of.
07-21-2009, 08:18 PM
When I figure out what it is and how it actually works, I'll let you know.
I still don't know how the successful breaches of my server happened but I do know they were running lots of perl (obviously trying to send mail, although my server thought they were intruders and didn't let them send it, as far as I can see) (even though they got very far in and had root control over the /bin/sh command) and one theory put forwards by one of the sharper people assisting me was that it could be a stack overflow attack.
I've just downloaded this:
and that clearly helps clarify what this problem is.
This bit suggests that if you can understand that pdf you can understand what the situation is (although apparently salient information is withheld, but I'll keep looking)...
Some experimentation leads to the choice of a 32-byte long NOP
landing pad, a start address pointing to a location 48 bytes above the
estimated stack pointer address, and 20 repetitions of this start address
at the end (to overwrite the return value), which successfully starts the
/bin/sh command as root.
It remains possible (though I don't know the probability) that the successful root control the hacker had over perl on my server was yielded to that hacker by means of this method of using stack overflow to send stuff to /bin/sh command as root. Actually the real cause of the attack for me was that my openssh was vulnerable. How it was vulnerable I do not know - I was too busy getting a "nonvulnerable" one! But maybe its vulnerability was related to stack overflows... I didn't read much about it, maybe I should have done. But you know how it is - I was too busy writing code to block half a dozen countries from my server since they don't actually supply me with any profit but apparently do send me lots of spammers and "hackers" (although "crackers" is the more correct technical term for the people illegally breaching my machine).
I can see brute-force attacks in progress on my server often, but I don't believe the people who got in successfully brute-forced their way in. It's too unlikely compared to the stack overflow theory.
When I can write a lay explanation of how it works I'll come back and share it. The more people understand it, the more easily we can put up proper security against it (other than just very careful programming, which may presumably be incapable of preventing it anyway). But first I will spend as long as it takes (could be a long time!) to figure out what in hell it actually means. Looks very juicy to me, though.