Buffer Overflow Template

The vulnerability addressed by this template

A buffer can be a local variable residing on the stack, a dynamically allocated buffer residing on the heap, or a global variable residing in the process data segment. All buffer overflow attacks (for example, stack smashing, return-into-libc, execute on heap) attempt to overflow a buffer. Refer to the Stack Buffer Overflow Protection in HP-UX 11i white paper available at http://www.docs.hp.com, for a description of buffer overflow attacks on HP-UX. Unusually long program arguments are carefully modified by an attacker to overflow a buffer for which the program does not perform bounds checking. By overflowing the buffer, an attacker can modify the program’s execution flow to execute malicious code and thereby hijack a privileged program. A hacker can modify a program’s execution flow in several ways, including the following:

Overflowing a buffer on the stack to modify the return address in an activation record.
Overflowing a buffer on the heap to modify a free memory header so that the heap memory allocation code then overwrites a function’s return address.
Overflowing a buffer in the data segment, to overwrite an adjacent variable containing a function pointer so that a subsequent dereferencing of the variable results in the execution of malicious code.

How this template addresses the vulnerability

The Buffer Overflow (BO) template monitors attack patterns that are indicative of various types of buffer overflow attacks, and reports execute-on-stack buffer overflow attacks detected by the HP-UX kernel. The template monitors privileged setuid programs where the effective user ID euid is not equal to the real user ID ruid and the euid is one of the user IDs specified in the template’s property list of privileged users; for example, root.

Specifically, the template monitors privileged setuid programs for the following:

The privileged setuid program was invoked with an unusually long program argument.
The privileged setuid program was invoked with program arguments that contain nonprintable characters (for example, possible CPU opcodes).

The template also reports when the kernel detects that a program has attempted to execute on its stack, perhaps as part of a stack buffer overflow attack.




	NOTE: In HP-UX 11i v1 and later, comprehensive stack buffer overflow protection, which uses a combination of highly efficient software and existing memory management hardware, protects against both known and unknown buffer overflow attacks without sacrificing system performance. This protection is managed with the executable_stack tunable kernel parameter. You can allow selected programs to execute from the stack by marking them with the -es option of the chatr command. Refer to `executable_stack` (5) and `chatr` (1) manpages and the Stack Buffer Overflow Protection in HP-UX 11i white paper, available at http://www.docs.hp.com.

How this template is configured

Table A-2 lists the configurable properties the Buffer Overflow template supports.

Table A-2 Buffer Overflow Template Properties

Property	Type	Default Value
priv_user_list	III	root \| daemon \| bin \| sys \| adm \| uucp \| lp \| nuucp
unusual_arg_len	VIII	500
programs_to_not_watch	I	<empty>

priv_user_list

A list of system-level user IDs or users names.

Include users who have elevated access to the system to this list. Only programs that run with an effective user ID that equals one of the listed user IDs or corresponds to one of the listed user names are monitored for the use of unusually long arguments or arguments with nonprintable characters. For higher security, add the user IDs and user names of other privileged accounts (for example, Webmaster or news administrator), and do not remove the default user IDs.

unusual_arg_len

An integer value set to an unusually long argument length. Configure this property value can be to an unusually long argument length for privileged setuid executables run on the system, which can indicate a buffer overflow attack.

programs_to_not_watch

Path names of programs that can be safely ignored.

Any buffer overflow alert for a program with a path name is matched by a regular expression in this property will be filtered out and not reported.

Alerts generated by this template

The following alerts are generated by the Buffer Overflow template:

Execute on Stack

Table A-3 lists the alerts that this template generates and forwards to a response program when an execute-on-stack condition is detected by the HP-UX 11i kernel.

Table A-3 Execute on Stack Alert Properties

Response Program Argument	Alert Field	Alert Field Type	Alert Value/Format	Description
argv[1]	Template code	Integer	0	Unique code assigned to the template
argv[2]	Version	Integer	2	Version of the template
argv[3]	Severity	Integer	1	Alert severity
argv[4]	UTC Time	Integer	<secs>	UTC time in number of seconds since epoch when execute-on-stack was detected
argv[5]	Attacker	String	uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid>	The user ID, group ID, process ID, and parent process ID of the process that attempted to execute on its stack
argv[6]	Target of Attack	String	program=<full pathname>, type=<type>, mode=<mode>, uid=<uid>,gid=<gid>, inode=<inode>,device=<device>	The full pathname of the program the attacker was running when attempting to execute off the stack and the program’s type, mode, uid, gid, inode, and device number
argv[7]	Summary	String	Buffer overflow detected	Alert summary
argv[8]	Details	String	Buffer overflow detected by kernel for process with pid <pid> and ppid <ppid> when executing <program>(type= <type>, inode=<inode>, device=<device), invoked with <args>	Detailed alert description
argv[9]	Event	String	null	The event that triggered the alert.




	NOTE: See Table B-1 in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields.

Unusual Argument Length

Table A-4 lists the alert properties that the Buffer Overflow template generates, and forwards to a response program setuid when a privileged setuid program is invoked with an argument equal to or greater than the unusual_arg_len property value.

Table A-4 Unusual Argument Length Alert Properties

Response Program Argument	Alert Field	Alert Field Type	Alert Value/Format	Description
argv[1]	Template code	Integer	0	Unique code assigned to template
argv[2]	Version	Integer	3	Version of the template
argv[3]	Severity	Integer	1	Alert severity
argv[4]	UTC Time	Integer	<secs>	UTC time in number of seconds since the epoch when a privileged setuid program was run with an unusual program length
argv[5]	Attacker	String	uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid>	The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid program with an unusually long argument length
argv[6]	Target of Attack	String	file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device>	The full path name of the setuid program the attacker executed with an unusually long argument length and the program’s type, mode, uid, gid, inode, and device number
argv[7]	Summary	String	Potential Buffer overflow detected	Alert summary
argv[8]	Details	String	Potential buffer overflow attack by process with pid <pid> and ppid <ppid> when executing<program> (type=<type>, inode=<inode>, device=<device), invoked as follows: <argv[0> <argv[1]. Length of the longest argument is <value>, which surpasses the longest expected argument length of <unusual_arg_len>. Total length of argument is <value>.	Detailed alert description
argv[9]	Event	String	null	The event that triggered the alert




	NOTE: See Table B-1 for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields.

Argument with Nonprintable Character

Table A-5 lists the alert properties the Buffer Overflow template generates, and forwards to a response program when a privileged setuid program was invoked with an argument that contains a nonprintable character.

Table A-5 Argument with Nonprintable Character Alert Properties

Response Program Argument	Alert Field	Alert Field Type	Alert Value/Format	Description
argv[1]	Template code	Integer	0	Unique code assigned to template
argv[2]	Version	Integer	3	Template Version
argv[3]	Severity	Integer	1	Alert severity
argv[4]	UTC time	Integer	<secs>	UTC time in number of seconds since the epoch when a privileged `setuid` program was run with an argument that contains a nonprintable character
argv[5]	Attacker	String	uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid>	The user ID, group ID, process ID, and parent process ID of the process that executed a privileged `setuid` program with an argument that contains a nonprintable character
argv[6]	Target of attack	String	file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device>	The full path name of the `setuid` program the attacker executed with an argument that contains a nonprintable character and the program’s type mode, uid, gid, inode, and device number
argv[7]	Summary	String	Potential buffer overflow detected	Alert summary
argv[8]	Details	String	Potential buffer overflow attack by process with pid <pid> and ppid <ppid> when executing <program>(type= <type>, inode=<inode>, device=<device), invoked as follows: <argv[0]><argv[1]> contains non-printable characters.	Detailed alert description
argv[9]	Event	String	null	The event that triggered the alert.




	NOTE: Table B-1 in Appendix B for the definition of additional arguments, that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields above.

Limitations

The Buffer Overflow template has the following limitations:

The template does not detect whether a buffer overflow attack was successful. It only detects that one might have been attempted.
The template only reports exec-on-stack buffer overflow attacks on HP-UX 11i when exec-on-stack protection is enabled.