Cases
Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G.
Hogle.
http://sfsecurity.pr.erau.edu
How did it happen?
A server running
Microsoft’s IIS will send you a web page if you make a request to that server by telling it what
you want (for example, you might tell www.momscookies.com that you want the hypertext
file /oatmeal/raisin.html by typing http://www.momscookies.com/oatmeal/raisin.html).
The
string you send is stored in one buffer, which does not overflow because it was
properly
bounds-checked. Each character is
an ASCII character which takes one byte to store.If
you requested some other http service, though, this buffer might be reformatted
into UNICODE (used for
international character sets, 1 character = 2 bytes) and stored in another buffer.It
was this other buffer that overflowed because there was no bounds checking to
make sure the UNICODE buffer was
twice as big as the ASCII buffer.While it is not easy to
exploit this kind of buffer overflow, it proved to not be impossible. The buffer overflow allowed
the attack code, which was included in the request string, to be executed.