> From what I have read about the weakness in IIS that is exploited by the
> Code Red worm, the problem seems to be an unchecked buffer. By overloading
> the buffer, the worm introduces malicious code into the server that ends
up
> being executed.
>
> Can anyone comment on the extent of prior knowledge or level of expertise
> that someone would need to identify this weakness and be able to exploit
> it?
>
> Another way of putting this question is : would someone need access to the
> source code, or is it sufficient to only have the executable and a
> debugger?
You wouldn't need the source code to find a weakness like this. You wouldn't
even need a debugger. You would normally need to be a C/C++ programmer, with
Windows engineering expertise. You would not necessarily need to be a very
good one.
> Do people really spend their time pouring over MBytes of executable code
> reverse engineering an application and looking for ways to subvert it? I
> can see how professional security people (especially the likes of
> the NSAs, GCHQs, DIOs etc) might, but amateur hackers?
Describing it as poring over megabytes of executable code is not quite
correct. It would be more like testing. You would test various expected
weakness points.
More detail than you really wanted to know
------------------------------------------
Buffer overflow vulnerabilities arise because 'C' and C++ depend on strings
(text) to be terminated by the null character. If a string is submitted that
is not properly terminated, then it will write into memory space not
intended for it. A well designed application will check the length of
submitted strings precisely to ensure this can't happen, and truncate any
excessively long strings. But this is a check that is sometimes not applied.
If such an overly long string is successfully submitted, then the excess
part of the string, which the application is not expecting, can be made to
do things it has no business doing. In that case, the data in the excess
part of the string functions not as a string, but as something else. And
here I'm not sure what goes on.
Regards, Tony Healy
--------
To the Bear, there was nothing so beautiful as a formation landing of
helicopters - not only for the physical beauty of the formation's geometric
order, but for the determination and purpose they showed, driving downward
into whatever might lay ahead. There was no need for them to be so close,
and yet, because they were, they were a beautiful sight, those ten ships
driving down as one. The diamonds glistened, as the sun caught the rotor
blades, like the patterns on a snake's back. Adapted from William Holland:
Let a Soldier Die
This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:03 EST