[PLUG] Linux /Windows virus appears (fwd)
Doug Davis
mindglow at dsl-only.net
Sun Jun 9 18:52:18 UTC 2002
On Sun, 2002-06-09 at 10:29, Neil Anuskiewicz wrote:
>
> How does one protect against buffer overflows, run Immunix? Or are there
> other ways? I mean unknown buffer overflows that might be exploited
> between the time that they are found and exploited and the time that they
> are fixed and a patch issued and given, as you mentioned, the fact that
> that not all system admins are good about keeping up with the patches.
>
Yes, you can apply kernel patches to prevent them in such a way as
Immunix does. Other prevention methods include keeping regular on your
patches and (my favorite) minimizing the use of all service that you
don't use. For example, if you don't have the wu-ftp service running,
you can't exploit it. Also, don;t run services as root if you can help
it. To explain this one, an explanation of what a buffer overflow is
would be helpful. Basically, the developer does a poor job of checking
the size of a data field before he writes it to memory. This allows the
attacker to run a program that overwrites the return pointer in the
program to point to a line in memory that executes a command of the
attackers choice ( most often a shell). This gets run as the user that
started the program. So essentially if you start wu-ftp as root and
someone runs this program against it ...they have a root shell. From
there...you can guess what happens. The lesson here is to run things
with as little privilege as possible and then only when you need them.
Doug
More information about the PLUG
mailing list