Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

Templates and Alerts

Buffer Overﬂow Template

Appendix A

134

Buffer Overﬂow Template

The vulnerability

addressed by this

template

All buffer overﬂow attacks (e.g., stack smashing, return-into-libc, execute on heap)

attempt to overﬂow a buffer, where the buffer can be a local variable residing on the

stack or a dynamically allocated buffer residing on the heap or a global variable residing

in the process data segment. See the whitepaper “Stack Buffer Overﬂow Protection in

HP-UX 11i,” available at http://www.docs.hp.com, for a description of buffer overﬂow

attacks on HP-UX. Unusually long program arguments are carefully modiﬁed by an

attacker to overﬂow a buffer for which the program does not perform bounds checking.

By overﬂowing the buffer, an attacker can modify the program’s execution ﬂow to

execute malicious code and thereby hijack a privileged program. Modifying a program’s

execution ﬂow can be accomplished in several ways, including the following:

• Overﬂowing a buffer on the stack to modify the return address in an activation

record

• Overﬂowing a buffer on the heap to modify a free memory header so that the heap

memory allocation code subsequently overwrites a function’s return address.

• Overﬂowing a buffer in the data segment in order to overwrite an adjacent variable

containing a function pointer so that a subsequent dereferencing of the variable

results in the execution of malicious code.

How this template

addresses the

vulnerability

The Buffer Overﬂow (BO) template monitors attack patterns that are indicative of

various types of buffer overﬂow attacks and reports execute-on-stack buffer overﬂow

attacks detected by the HP-UX kernel (starting with HP-UX 11i). The template monitors

privileged setuid programs where the effective user id (euid) is not equal to the real user

id (ruid) and the euid is one of the user ids speciﬁed in the template’s property list of

privileged users (e.g., root).

Speciﬁcally, the template monitors privileged setuid programs for the following:

• The privileged setuid program was invoked with an unusually long program

argument(s).

• The privileged setuid program was invoked with program argument(s) that contain

non printable characters (e.g., could be CPU opcodes).

The template also reports when the kernel has detected that a program has attempted to

execute on its stack (perhaps as part of a stack buffer overﬂow attack).

NOTE In HP-UX 11i v1 and later, comprehensive stack buffer overﬂow protection, which uses a

combination of highly efﬁcient software and existing memory management hardware,

protects against both known and unknown buffer overﬂow attacks without sacriﬁcing

system performance. This protection is managed with the executable_stack tunable

kernel parameter. You can allow selected programs to execute from the stack by marking

them with the -es option of the chatr command. See the executable_stack (5) and

chatr (1) manpages and the Stack BufferOverﬂow Protection in HP-UX 11i white paper,

available at http://docs.hp.com