HIPAA Blog

[ Thursday, June 09, 2005 ]

 

More on WinZip: Here's more on potential trouble with WinZip. I gotta be honest, I just don't know what the hell that means. But it does get worse: I really don't know what this means.

Jeff [11:30 AM]

Comments:
A buffer overflow attack usually exploits poorly written code, the stuff the program or OS is written in. The buffer is the amount of memory set aside to operate that particular piece of code; if it is not large enough the overflow opens the system to attack by allowing a malicious user to deliberately input more than the buffer allows, and thereby gain access to the users system.
In a ubiquitous program like WinZip this is a major issue, since most of us have it living right there on our desktop.
 
Thanks, Michael. Damn, I still don't know what that means.
 
Let me try and explain it by way of a silly analogy.

Suppose you have some kind of day planner. You already know that your A1 task for tomorrow is to call three people to confirm an important business meeting, but you won't know exactly which three people are supposed to be invited until your boss tells you later in the day.

So on the first line of tomorrow's page you write "A1: Call and confirm business meeting with:" and then leave three blank lines for you to pencil in the actual names later.

Next you enter your A2 task (on line five of the day planner page), "get the car washed" and A3 (line 6), "walk the dog" and B1 (line 7), "go to the movies".

(Tomorrow must be a Saturday? :-)

Now, later in the day your boss (whom you think you can trust) tells you to to 1st, "Call and invite Alice"; 2nd, "Call and invite Bob"; 3rd, "Call and invite Mary"; 4th, "Drive to the bank" and 5th, "Wire the contents of your savings and checking account to this acct # in the Cayman Islands ..."

So you dutifully fill in your dayplanner with five new lines, overwriting your A2 and A3 items in the process.

You wake up the next morning and dutifully call Alice, Bob, and Mary, then drive to the bank and wire the contents of your account to an anoymous account in the Cayman Islands.

Then you go and enjoy a movie having succesfully completed your A1 and B1 tasks.

Later you notice all your checks are bouncing and you have no money left.

The reason? You had allocated 3 lines in your dayplanner for the list of people to call, but when you were writing in their names and numbers you didn't properly validate the number of items you were including. You overwrote your A2 and A3 items with the trip to the bank and the wire transfer.

Being dutiful (like a computer) you continued executing the instructions the next morning, much to your ultimate dismay.

A buffer (the space previously allocated) is overflowed when you try and store more stuff than there is room for (5 lines instead of 3).

This could result in garbled data, a program crash or failure, or, if the extra stuff is crafted just so, the result could be that your computer begins executing malicious software (lines 4 and 5, but particularly 5, in our example).

Buffer overflows are always a mistake. When they exist in software that is widely installed, and when the overflow can lead not just to a crash but to being able to run code of your own choosing (in the case of WinZip, apparently gaining the ability to promote yourself from being a lowly serf [a regular user] to being the boss [administrator]) it's a real security concern.

(Getting yourself promoted from being a user to being an administrator is known as "privilege escalation.")
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template