[WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths

Ory Segal osegal at watchfire.com
Wed Mar 15 09:23:12 EST 2006

Another interesting thing to note, which I totally agree with is:
Quote: "While technically possible, the truth is that they are just not
seen in the real world. Our experience at WhiteHat Security, having
assessed hundreds of Web sites and identified thousands of
vulnerabilities, shows that statistically, buffer overflows appear near
the bottom of the list of total discovered issues."
I've been around for quite a while, and I can't remember the last time I
have seen a Buffer Overflow in a custom-built web application. Anyone


From: Ryan Barnett [mailto:rcbarnett at gmail.com] 
Sent: Wednesday, March 15, 2006 15:42
To: ol at uncon.org
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer
overflow myths

The article you posted is a good read, however it does not entirely
debunk the core message of Jeremiah's article.  The SecurityFocus
article wanted to show that it would still be possible to execute a
blind buffer overflow against ISAPI extensions. 
If we are not looking at the article examples in a lab view, but rather
a real world view, then the Vulnerabilty Requirements section becomes
important -
"There are very few necessary requirements of the vulnerability for
exploitation to be successful. If any type of filtering is being done on
our input, output from the extension would be required to display which
bytes are denied or modified. 

The second and third requirements are that a register must point to our
payload and have enough room for single or multi-stage shell code."

With these caveats in mind - is this really a blind buffer overflow if
it is a requirement that denied byts are displayed back to the attacker?
Additionally, the author summed it up with this statement -
"One can now see that even when an attacker does not have access to the
binary, source or platform information, exploitation may in some
specific scenarios allow for remote code execution." 
This brings up another point from Jeremiah's article - the likelyhood of
a buffer overlow is less then the other attacks he mentioned (SQL
Injection, etc...)

On 3/15/06, ol at uncon.org <ol at uncon.org> wrote: 

	> Did you read the article or did you just base your response on
the 2
	> sentences sent in the email?  The article quite clearly
outlined the fact 
	> that it was focusing on "custom" applications and not widely
available (to
	> everyone, including attackers) software.
	Yes I did. Did you read the article I posted? It clearly
describes how it is 
	possible and thus likely hood is greatly increased on custom
	(using ISAPI as a particular example I grant you).

Ryan C. Barnett
Web Application Security Consortium (WASC) Member 
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
Author: Preventing Web Attacks with Apache 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060315/ee7e6524/attachment.html>

More information about the websecurity mailing list