Open source software security

Madirish Tutorial 07

30 November -0001
Ok, this may be a little advanced at this point, but if you've done any searching on the net you've probably heard of exploits, or sploits or some variation. Exploits, very simply, are vulnerabilities in programs that allow local or remote users to gain illegal access, priveledges or crash a program. Denial of Service (DOS) exploits are exploits that disable the target machine. Buffer Overflow exploits, some of the most common, are exploits that target vulnerable services or programs that do not check for input controls. In a nutshell these exploits give a program too much input. This causes the buffer (or the memory used to temporarily store input) to overflow. You can think of this as pouring too much beer in a glass. If say, a program asks you for your name and you input 512 characters you could possibly exceed the available temporary memory for the program to hold the name variable. The excess code will sometimes be executed as the next line of the program. For instance, a program that stores 12 characters for a name variable could prompt you for your name, in response if you issued "abcdefghijkl;cat etc/passwd | mail" you could fill up the name variable and then the extra code (which mails the password file to you) would be run like any other line in the code. This could allow you to run commands on the target system as the program. In cases where programs like sendmail, which runs as root, are exploited, you could run commands as root for a brief period of time, allowing you to add yourself to a user list, create a passwordless root account, etc. Buffer overflow exploits are commonly distributed as C code, such as on Rootshell. To compile the C code you'll need a C compiler. If you are running Linux, one is usually included. To compile the code simply type:

cc exploit.c

This will c compile (CC) the code saved as exploit.c into an executable called a.out. You must then make the file a.out executable by typing

chmod +7 a.out

Once this is done you can execute the exploit by typing:




The ./ is used to prevent users from maliciously creating executables with the names of commands and tricking root into running them. For instance, you could create a program in your home directory called 'ls' and then trick root to come in and view your directory. They would cd to your directory and type 'ls', thus running your program rather than listing the directory contents. The ./ is the directory listing of the executable. Some older versions of unix or linux may not require the ./ and so you could trick root to run a program of yours (that could, say, give you a root account).