Information Technology Reference
In-Depth Information
on other computers; then it would try a long list of common passwords. If these
attempts failed, it would then try some other vulnerability, such as a flaw in
the Unix Sendmail program, well known to computer experts at the NSA. The
second reason for its importance was that if all these attempts failed, Morris
had exploited a new type of bug called
buffer overflow
. The Unix operating sys-
tem is written in the C programming language, and the irst topic about C was
written by Bell Labs researchers Brian Kernighan and Dennis Ritchie. The topic
shows how to write a program to read a series of input characters into com-
puter memory using an area of memory called a
buffer
. In their example code,
the size of the buffer was specified but not whether the number of characters
being entered actually exceeded this size. The younger Morris realized that the
extra characters would overwrite the rest of the program's data and instruc-
tions. By placing judicious machine instructions in these overflow characters,
a hacker could use this flaw to gain the root privileges of a super-user. Morris
also encrypted the virus software to make it more difficult to find out what the
program did and also used several techniques to avoid detection. The worm
infected thousands of computers, and system managers took several days to
disinfect their computers. Morris was convicted of a felony in May 1990 and
sentenced to three years of probation, four hundred hours of community ser-
vice, and a $10,000 fine (
Fig. 12.5
).
The story had a happy ending for Morris. After his conviction, Xerox PARC
invited him to become an intern student there and he is now a professor at MIT.
However, an unfortunate outcome of Morris's worm was that it demonstrated
a new way of attacking computers. Such unchecked memory buffers occurred
in almost all Unix programs and also in Windows. After a hacker called “Aleph
One” put up a detailed “instruction manual” (
Fig. 12.6
) on the Web in 1996,
buffer overflow became a relatively straightforward technique for black hats to
adapt. In 1992, there were estimated to be around 1,300 viruses or worms; in
1996, more than 10,000; and by 2002, more than 70,000. By 2003, the Slammer
worm had set a record for spreading faster than any previous malware, infect-
ing seventy-five thousand computers in just ten minutes.
Fig. 12.5. The infamous Morris worm
was only a short C program, yet it shut
down large portions of the ARPANET in
November 1988.
Fig. 12.6. Aleph One's paper on the
buffer overflow vulnerability.
.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
File 14 of 16
BugTraq, r00t, and Underground.Org
bring you
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Smashing The Stack For Fun And Profit
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
by Aleph One
aleph1@underground.org
`smash the stack` [C programming] n. On many C implementations it is possible to corrupt
the execution stack by writing past the end of an array declared auto in a routine. Code that does
this is said to smash the stack, and can cause return from the routine to jump to a random address.
This can produce some of the most insidious data-dependent bugs known to mankind. Variants
include trash the stack, scribble the stack, mangle the stack; the term mung the stack is not used, as
this is never done intentionally. See spam; see also alias bug, fandango on core, memory leak,
precedence lossage, overrun screw.
Search WWH ::
Custom Search