HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Type XI: String

The Type XI property value is a literal string. Unlike the Type I property, the Type XI property is not

interpreted as a regular expression and only specifies one literal string.

The logfile template property of the Log File Monitoring template is a Type XI property

that specifies the pathname of a logfile. For example, the following specifies that the syslog.log

file should be monitored:

logfile | /var/adm/syslog/syslog.log

NOTE: The value of the property consists of all the characters between (and including) the first

non-whitespace character after the preceeding pipe (|) character and the end of the line.

For examples of regular expressions, see “UNIX Regular Expressions ” (page 106).

Buffer Overflow Template

The vulnerability addressed by this template

A buffer can be a local variable residing on the stack, a dynamically allocated buffer residing on

the heap, or a global variable residing in the process data segment. All buffer overflow attacks

(for example, stack smashing, return-into-libc, execute on heap) attempt to overflow a buffer. Refer

to the Stack Buffer Overflow Protection in HP-UX 11i white paper available at http://

www.docs.hp.com, for a description of buffer overflow attacks on HP-UX. Unusually long program

arguments are carefully modified by an attacker to overflow a buffer for which the program does

not perform bounds checking. By overflowing the buffer, an attacker can modify the program’s

execution flow to execute malicious code and thereby hijack a privileged program. A hacker can

modify a program’s execution flow in several ways, including the following:

• Overflowing a buffer on the stack to modify the return address in an activation record.

• Overflowing a buffer on the heap to modify a free memory header so that the heap memory

allocation code then overwrites a function’s return address.

• Overflowing a buffer in the data segment, to overwrite an adjacent variable containing a

function pointer so that a subsequent dereferencing of the variable results in the execution of

malicious code.

How this template addresses the vulnerability

The Buffer Overflow (BO) template monitors attack patterns that are indicative of various types of

buffer overflow attacks, and reports execute-on-stack buffer overflow attacks detected by the HP-UX

kernel. The template monitors privileged setuid programs where the effective user ID euid is not

equal to the real user ID ruid and the euid is one of the user IDs specified in the template’s property

list of privileged users; for example, root.

Specifically, the template monitors privileged setuid programs for the following:

• The privileged setuid program was invoked with an unusually long program argument.

• The privileged setuid program was invoked with program arguments that contain nonprintable

characters (for example, possible CPU opcodes).

The template also reports when the kernel detects that a program has attempted to execute on its

stack, perhaps as part of a stack buffer overflow attack.

Buffer Overflow Template 113