How to Guard against Buffer Overflow Hacks
RPC and other vulnerable daemons are common targets for buffer-overflow hacks. Buffer-overflow attacks are often how the hacker can get in to modify system files, read database files, and more.
Buffer Overflow Attacks
In a buffer-overflow attack, the attacker either manually sends strings of information to the victim Linux machine or writes a script to do so. These strings contain the following:
Instructions to the processor to basically do nothing.
Malicious code to replace the attacked process. For example, exec (“/bin/sh”) creates a shell command prompt.
A pointer to the start of the malicious code in the memory buffer.
If an attacked application (such as FTP or RPC) is running as root, this situation can give attackers root permissions in their remote shells. Specific examples of vulnerable software running on Linux are Samba, MySQL, and Firefox. Depending on the version, this software can be exploited using commercial or free tools such as Metasploit to obtain remote command prompts, add backdoor user accounts, change ownership of files, and more.
Countermeasures against buffer-overflow attacks
Three main countermeasures can help prevent buffer-overflow attacks:
Disable unneeded services.
Protect your Linux systems with either a firewall or a host-based intrusion prevention system (IPS).
Enable another access control mechanism, such as TCP Wrappers, that authenticates users with a password.
Don’t just enable access controls via an IP address or hostname. That can easily be spoofed.
As always, make sure that your systems have been updated with the latest kernel and security patches.