HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

information on regular expressions, see “UNIX Regular Expressions ” (page 138). The

integer is interpreted to be of type Type VI: Time Strings.

Currently, only the global alert aggregation tuples property is of this type. For more

information, see “Surveillance Schedule Text File” (page 248).

Buffer Overflow Template

The vulnerability addressed by this template

A buffer can be a local variable residing on the stack, a dynamically allocated buffer

residing on the heap, or a global variable residing in the process data segment. All

buffer overflow attacks (for example, stack smashing, return-into-libc, execute on heap)

attempt to overflow a buffer. Refer to the Stack Buffer Overflow Protection in HP-UX 11i

white paper available at http://www.docs.hp.com, for a description of buffer overflow

attacks on HP-UX. Unusually long program arguments are carefully modified by an

attacker to overflow a buffer for which the program does not perform bounds checking.

By overflowing the buffer, an attacker can modify the program’s execution flow to

execute malicious code and thereby hijack a privileged program. A hacker can modify

a program’s execution flow in several ways, including the following:

• Overflowing a buffer on the stack to modify the return address in an activation

record.

• Overflowing a buffer on the heap to modify a free memory header so that the heap

memory allocation code then overwrites a function’s return address.

• Overflowing a buffer in the data segment, to overwrite an adjacent variable

containing a function pointer so that a subsequent dereferencing of the variable

results in the execution of malicious code.

How this template addresses the vulnerability

The Buffer Overflow (BO) template monitors attack patterns that are indicative of

various types of buffer overflow attacks, and reports execute-on-stack buffer overflow

attacks detected by the HP-UX kernel. The template monitors privileged setuid

programs where the effective user ID euid is not equal to the real user ID ruid and the

euid is one of the user IDs specified in the template’s property list of privileged users;

for example, root.

Specifically, the template monitors privileged setuid programs for the following:

• The privileged setuid program was invoked with an unusually long program

argument.

• The privileged setuid program was invoked with program arguments that contain

nonprintable characters (for example, possible CPU opcodes).

The template also reports when the kernel detects that a program has attempted to

execute on its stack, perhaps as part of a stack buffer overflow attack.

146 Templates and Alerts