dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3329
share rss forum feed

scottp99

join:2010-12-11

Buffer Overflow blocked by AV, what should I do?

Yesterday my AV caught this whatever it is by my Buffer Oveflow protection system. Should I still restore my clean copy of my OS image just to be safe despite that this had been blocked?

I did a search on this, but no luck or no info on this. Maybe it was a false positive, who knows. I was going to a website and then I received a message pop up window from my AV, that this thing has been blocked.

Should I reimage Windows just to be on the safe side?

Thanks

Blocked by Buffer Overflow Protection C:\Program Files\Internet Explorer\iexplore.exe:NTDLL.KiUserExceptionDispatcher::6b40000 BO:Writable BO:Heap



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6

Mentioning the AV by name would be helpful.
e.g., if your AV is McAfee
»community.mcafee.com/message/256643
might have the answers you seek.


scottp99

join:2010-12-11

I did, but no response for days now. I posted on there if anyone knew about this meaning or what type of an attack attempt it was. I am aware that McAfee has a reporting system called Avert Labs which can analyze this report.

But here, I just wanted to ask If I should reimage my OS and not really focus on the meaning of this report.

Thanks



norwegian
Premium
join:2005-02-15
Outback

The meaning can be found at Wiki:

»en.wikipedia.org/wiki/Buffer_overflow

Theoretically all new Processors should stop buffer overflow, x64 flavour especially, see DEP

»en.wikipedia.org/wiki/Data_Execu···evention

I find it hard on modern computers that this can be possible.
But then I do not program, and maybe someone can enlighten us.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

To be precise: there is no way to prevent 'buffer overflow'. What DEP does is to prevent the execution of code that was injected into a data area by exploitation of a buffer overflow.

To repeat: the buffer has overflowed, the data that the program thought it had there next to the buffer is now toast.

The execution attack, which is the common approach, is to overwrite something that'll get used as a subroutine return address with the different address of some code that the attacker wants to execute. That in itself is not detectable by DEP. The hardware support kicks in if the 'attack code' has been constructed by the same buffer overflow: i.e., on taking that subroutine return, we end up attempting to fetch instructions out of somewhere that is not marked as containing instructions.

There are still some remaining possibilities for attacks by buffer overflows:

1. Redirecting execution to somewhere that was actually executable. That is, you just change the flow of control, not the code.

2. Accepting that there's going to be a DEP exception and attempting to intervene in how that exception gets handled - i.e., the real attack is after DEP has detected execution of data. There's still the problem of what gets executed, of course. (Can't construct new code in data areas).

3. Attacks by changing data only: e.g. maybe I can fool a badly-written program into thinking I have access to something I don't, by changing some flag that happens to be 'next to the buffer'. This can't violate kernel-provided protection of course.

I'm no hacker (in the modern sense) so I don't know much about whether these techniques actually get used; I'm just talking about what DEP does and what it doesn't.


Rebirth

join:2009-06-18
33333
reply to scottp99

If you run Procmon from Sysinternals, you'll be Amazed at just how many BO's you'll see, from ALL sorts of legit Apps & Processes. etc. "Aparently" is quite normal, from what i've read !

Also issues with Mcafee's instrusion detection and buffer overflow detection, isn't new ! This fom 2007 - »www.wilderssecurity.com/showthre···t=189610



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to dave

said by dave:

To be precise: there is no way to prevent 'buffer overflow'. ...

Can we assume you actually mean that there's no way for a user or protective software to "prevent 'buffer overflow' "? Buffer overflow is a consequence of a programmer's failure to bounds-check the data written to a buffer in the code he writes, and indeed can be prevented at the coding level (though with C/C++ it's not automatically done for the programmer, so he has to be sharp enough and persistent enough to build it in himself). Put another way, buffer overflows can be prevented at software coding time, but can't be prevented after that... which is what I think you meant.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to Rebirth

said by Rebirth:

If you run Procmon from Sysinternals, you'll be Amazed at just how many BO's you'll see, from ALL sorts of legit Apps & Processes. etc. "Aparently" is quite normal, from what i've read !

Those aren't buffer overflows, those are just unfortunately-named Windows error codes.

ERROR_BUFFER_OVERFLOW is an error code returned by a number of API calls when the buffer provided by the user - which includes the size - is not sufficient for the API function to put the result there.

you: Hey Windows, here is a buffer of 100 bytes, stick the answer here
Win: Sorry, 100 bytes is too small, you need 150 bytes.

That is an ERROR_BUFFER_OVERFLOW error, and it means the application has to allocate a bit more memory and try again. This is a common exchange, and no actual overflow of anything has occurred.

You can't really see a real-deal buffer overflow with Process Monitor.


norwegian
Premium
join:2005-02-15
Outback
reply to dave

After your comments to help explain more. I found this link that was interesting.

»security.stackexchange.com/quest···dep-work

It helped list more to help clarify what you meant. At least on point/s 1 and 2 as I wanted to understand what ASLR was, as well as DEP, as they seemed to have a similar function. Yet it seems ASLR is not that dis-similar to another exploit that came about via port randomization (DNS spoofing). DEP being like a firewall stopping the incorrect addressing. A little bit different I know but I couldn't help see similarities with the different protocols if I understood correctly?

This next link seemed to suggest they were not bullet-proof, and the description almost made it sound like they were easily bypassed for someone with the specific knowledge. A layer of the onion peeled so to speak.

»security.stackexchange.com/quest···r-dep-nx

Thanks for the description to help direct a little side research.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Steve

said by Steve:

ERROR_BUFFER_OVERFLOW is an error code returned by a number of API calls when the buffer provided by the user - which includes the size - is not sufficient for the API function to put the result there.

you: Hey Windows, here is a buffer of 100 bytes, stick the answer here
Win: Sorry, 100 bytes is too small, you need 150 bytes.

That is an ERROR_BUFFER_OVERFLOW error, and it means the application has to allocate a bit more memory and try again. This is a common exchange, and no actual overflow of anything has occurred.

You can't really see a real-deal buffer overflow with Process Monitor.

Thanks also for that, I read somewhere back when Mark ran Sysinternals before Microsoft that they were to be ignored but never really understood fully why.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

2 edits

1 recommendation

reply to Blackbird

said by Blackbird:

Can we assume you actually mean that there's no way for a user or protective software to "prevent 'buffer overflow' "?

Yes. Programmers can prevent buffer overflows by using interfaces properly, assuming an interface actually exists that is capable of not overflowing a provided buffer. Or the programmer can use a language where memory-unsafe constructs do not exist.

The user can only prevent buffer overflows by refusing to use software written by the incompetent

Likewise, the programmer should refuse to use interfaces written by the incompetent.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Steve

To expand on what Steve said: it is a common design pattern that, in order to find out how much space something needs, the program attempts to read it into a buffer of some size (often zero length), and gets told "your buffer is not big enough, needs to be at least N bytes". That is, it's not a programming error, it's the way it is supposed to work.

So "BUFFER_OVERFLOW" in this case means that the available data would overflow the provided buffer.

This is an example of program use that prevents actual buffer overflow. The buffer overflows this thread is concerned about are those that just go ahead and write 150 bytes "into" a 100-byte buffer.


scottp99

join:2010-12-11

All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do? I just want to compare the actions of a worm, trojan or virus and this is the way I usually do it:

* Disconnect the LAN cable
*Try cleaning or deleting the infected file with AV
*If that cleaning or deleting fails, then reformat the drive, or restore the OS image.

But I want to know if this can be done with a Buffer Overflow infection. But even though the AV has blocked it, is there any way to find out if it survived the restore of my OS image?

Thats all I want to know at this point.

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

I dont know, but this may be a "bug" in McAfee (the latest version), because I never had this from the older versions before.

Thanks.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by scottp99:

All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do?

I have not used a McAfee product in years, but in general when a security application tells me that it has detected something and that it "has been blocked", I assume that it indeed "has been blocked" (unless I see some indications that say otherwise).

Do you worry about your firewall reporting that unwanted incoming traffic "has been blocked", or are you just happy that it "has been blocked"?
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

Rebirth

join:2009-06-18
33333
reply to scottp99

@ Steve

"unfortunately-named Windows error codes"

You can say that again ! Thanks for the info


scottp99

join:2010-12-11

@NetFixer

Well, I am very security cautious when it comes to IS Security.
I am indeed very happy that my AV blocked it, but most security experts say that even though AV blocks the nasty stuff out there, still, one should reimage or reinstall the OS because now days, most of these malicuous code can be so hooked deep inside of your system that we really should not assume that it has been blocked or removed by AV.

I did all the searches on Buffer Overflows, but has been very techy for me. Are these more dangerous than an ordinary infection by a trojan or a worm or a virus? I dont quite understand.

But in any case, I did restore my clean OS image just in case.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by scottp99:

@NetFixer

Well, I am very security cautious when it comes to IS Security.
I am indeed very happy that my AV blocked it, but most security experts say that even though AV blocks the nasty stuff out there, still, one should reimage or reinstall the OS because now days, most of these malicuous code can be so hooked deep inside of your system that we really should not assume that it has been blocked or removed by AV.

But in any case, I did restore my clean OS image just in case.

You should always do whatever makes you feel comfortable and safe (my previous post was simply my own viewpoint). FWIW, if I did not trust the security software that was on a system under my control, I would also look into replacing it with something that I did trust after a secure reformat of the HDD and reinstalling the OS.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


norwegian
Premium
join:2005-02-15
Outback
reply to scottp99

said by scottp99:

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

If the image is from before the detection, no, it will not have any affect on the image you restore from.

You could discuss if it has affected the MBR records, and whether the image you have includes MBR records or just the partition image, but as mentioned - it was blocked. Either as a real detection or a false positive. As IE and ntdll were mentioned, I'd be more worried about a false positive and file corruption before your concerns of the detection of malware. It can be just as dangerous to system integrity.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

3 edits

1 recommendation

reply to scottp99

said by scottp99:

... Are these more dangerous than an ordinary infection by a trojan or a worm or a virus? I dont quite understand. ...

No... a buffer overflow is a description of a system's legitimate software's flaw or weakness that may be attacked by an infection to get into the computer, not a measure of the infection seriousness itself, once it has gotten in. An infection is an infection, by whatever means of arrival. Once safely inside, an initial infector may invite any number of nasty friends in from outside or it may self-contain any manner of malicious "payloads"... it all depends on the coding attached to the initial infector.

However, an exploitable buffer overflow is a weakness existing within a legitimate piece of software installed on your system, and that is grounds for continuing concern. It raises the chances for the same or some other exploit to attack that same vulnerability in some future encounter. So, if possible, you really should identify and plug that security hole, either by updating/patching the vulnerable software (preferred solution), by blocking the attack point within that software using some settings option in the software or the OS, or by making use of external protective software that responds to this kind of threat... or some combination of these.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville