Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blind Remote Buffer Overflow

From: 11a () GMX NET (Bluefish)
Date: Tue, 2 May 2000 03:42:19 +0200

Uhm...

To begin with, in most situations it seems unrecommended to assume the
attacker is blind. But if he really is?

Some people have mentioned some ways to try to find a vulnerability
remotely. Now, lets say you using some way have determined you can rewrite
EIP, PC (or whatever it's called on your architecture). What now to do to
detect operating system and architecture?

I believe a 'generic buffert overflower' could be a part of answer. Let a
tool be given what you know (or guess) about the overflow. Let it generate
a number of variants (as an example: Linux/i386, Linux/sparc,
Windows/i386) which all of them does something like "echo 3 | mail
badguy () test com". Depending upon what mail you actually get back, you know
that the architecture is at least quite compatible with the envioronents
that returns an answer.

It does seem like quite some work, but it does (IMHO) show that a even if
a system has secret sourcecode and secret binaries as well, it's not
possible to provide security through obscurity. If such scans could be
automated, it would rise a need even for programs which only exists on a
single system to be coded quite well.

The group/company at www.eeye.com has a tool which can be used to scan for
unknown exploits if you give it some information to it about "where you
want to go today" (grin). I don't know how good it is, but perhaps
the support of 'blind overlows' to detect systems can be incorperated into
their scanner.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team
Previous By Date Next
Previous By Thread Next

Current thread: