Java Reference
In-Depth Information
versions of the
finger
program, the programmer had been lazy and had not
checked whether the array holding the input characters was large enough to hold
the input. So the worm program purposefully filled the 512-character array with
536 bytes. The excess 24 bytes would overwrite a return address, which the
attacker knew was stored just after the line buffer. When that function was
finished, it didn't return to its caller but to code supplied by the worm (see A
ȒBuffer Overrunȓ Attack). That code ran under the same super-user privileges as
finger
, allowing the worm to gain entry into the remote system.
Had the programmer who wrote
finger
been more conscientious, this particular
attack would not be possible. In C++ and C, all programmers must be especially
careful not to overrun array boundaries.
One may well wonder what would possess a skilled programmer to spend many
weeks or months to plan the antisocial act of breaking into thousands of computers
and disabling them. It appears that the break-in was fully intended by the author,
but the disabling of the computers
was a side effect of continuous reinfection and
efforts by the worm to avoid being
killed. It is not clear whether the author was
aware that these moves would cripple the attacked machines.
318
319
A ÑBuffer OverrunÒ Attack
In recent years, the novelty of vandalizing other people's computers has worn off
some-what, and there are fewer jerks with programming skills who write new
viruses. Other attacks by individuals with more criminal energy, whose intent has
been to steal information or money, have surfaced. See [
3
] for a very readable
account of the discovery and apprehension of one such person.
