312    Chapter 5 • Communication Security: Web Based Services


              EXAM WARNING

                  You do not need to know the code signing-based problems and resolu-
                  tions for the Security+ exam. You do need to know that code is prob-
                  lematic, that it can cause problems in the form of scripting and applets,
                  and that it must be dealt with in a specific way to make your systems,
                  network, and infrastructure safer and more secure.





             Buffer Overflows


             A buffer is a holding area for data.To speed processing, many software programs use
             a memory buffer to store changes to data, then the information in the buffer is
             copied to the disk.When more information is put into the buffer than it is able to
             handle, a buffer overflow occurs. Overflows can be caused deliberately by hackers and
             then exploited to run malicious code.
                 There are two types of overflows: stack and heap.The stack and the heap are two
             areas of the memory structure that are allocated when a program is run. Function
             calls are stored in the stack, and dynamically allocated variables are stored in the
             heap.A particular amount of memory is allocated to the buffer. Static variable
             storage (variables defined within a function) is referred to as stack, because they are
             actually stored on the stack in memory. Heap data is the memory that is dynami-
             cally allocated at runtime, such as by C’s malloc() function.This data is not actually
             stored on the stack, but somewhere amidst a giant “heap” of temporary, disposable
             memory used specifically for this purpose.Actually exploiting a heap buffer over-
             flow is a lot more involved, because there are no convenient frame pointers (as are
             on the stack) to overwrite.
                 Attackers can use buffer overflows in the heap to overwrite a password, a file-
             name, or other data. If the filename is overwritten, a different file will be opened. If
             this is an executable file, code will be run that was not intended to be run. On
             UNIX systems, the substituted program code is usually the command interpreter,
             which allows the attacker to execute commands with the privileges of the process’s
             owner, which (if the setuid bit is set and the program has ownership of the root)
             could result in the attacker having Superuser privileges. On Windows systems, the
             overflow code could be sent using an HTTP requests to download malicious code
             of the attacker’s choice. In either case, under the right circumstances, the result
             could be devastating.




          www.syngress.com