
Why buffer overflow exploitation took so long to mature  - wglb
http://rdist.root.org/2010/05/03/why-buffer-overflow-exploitation-took-so-long-to-mature/
======
tptacek
I think "Smashing The Stack" is a very important milestone, but I don't think
it's the tipping point for buffer overflows. I think that'd be Sendmail 8.6.12
and 8lgm's syslog(3) overflow exploit.

For the first half of the 1990s, Sendmail was to Internet security what
Wordpress is now: the dominant attack vector. Sendmail zero days were the
bearer bonds of #hack. Whenever Allman's team fixed a flaw, the current
version of Sendmail became one of the hottest targets on the net. 8lgm had
been coming off a string of something like 12 high-quality advisories. An
unpublished 8lgm advisory in 8.6.12 was a big deal indeed.

8lgm basically dared the Internet to reproduce their finding; they said "it's
an overflow in vasprintf in syslog, but we're not showing the exploit". For
the next 8 months or so, everyone was madly trying to cobble together stack
overflow exploits. I remember sitting in someone's apartment at a party
watching Mudge walk us through some example shellcode. I started Matasano with
one of the guys who published the first x86 stack overflow.

My point is, well before Smashing the Stack, buffer overflows were a _very_
big deal.

Let me head off a likely follow-on argument: there's no "Smashing the
Stack"-a-like for heap overflow exploits; the techniques to exploit heap
overflows are as folkloric as stack overflows were prior to Elias' article.
That is to say, it's out there, it's not hard to find (especially if you can
read and play with exploit code), but there's no solid cookbook. And yet
there's a thriving ecology of heap exploits out there. So it's hard to argue
that the '90s would have played out that differently without Elias' article.

This does nothing to answer the core question: why so many years between rtm's
worm and Lopatic's HTTPD exploit?

~~~
NateLawson
In the second part, I cover this very briefly. Basically, there were so many
other holes to exploit from 1988-1995 that you didn't need to learn a whole
new exploitation technique. Also note that it took a few years for buffer
overflow exploitation techniques developed on Linux to hit Windows -- the
systems were far enough apart that it took a little while to port. So an
entirely new exploitation technique (not just new platform) would require much
more work, and thus be a larger barrier to entry.

Also, Lopatic was a creative thinker. Sometimes it just takes being shown
something is possible to challenge many others to try to replicate it.

------
alanh
Interesting, but I don’t think the question raised in the title was actually
answered — he just retold the history.

~~~
InclinedPlane
It's a series of articles on the topic, this is just the first.

~~~
NateLawson
Correct, here is the second one which goes more in-depth:

<http://news.ycombinator.com/item?id=1321562>

------
drawkbox
Damn interesting I might say. It piqued my interest and is truly strange in
that the waves of buffer overflow exploits took time to become mainstream. I
have seen it with other stuff like good mobile, killer apps, standards etc.
Where ideas are talked about for a long time then finally they get written,
then packaged and products, then mass adoption after a certain time.

I would argue is that when it became a game, people played, competition
stifled... The article states “Smashing the Stack for Fun and Profit“ was
released and then many examples spawned, which further spawned more and more
ad infinitum.

I mean which one piques your interest:

\- COMPUTER SECURITY TECHNOLOGY PLANNING STUDY

OR

\- “Smashing the Stack for Fun and Profit“

Game it...

~~~
viraptor
> took time to become mainstream

One more important event is not mentioned. Internet became a mainstream thing
in middle 90' - that's more or less when the flood of buffer overflows and
format string exploits really started. Before that, network apps were mostly
created and used by people who "knew stuff" in general...

~~~
barrkel
You've pin-pointed it. Without a commonly available transmission vector,
buffer overflow exploits were the hard way to get around - and if you weren't
coming from across a network, you likely already had full control over the
local machine, as it was probably running DOS, Windows 3.11, Win 95, etc. Much
easier was boot sector viruses, particularly since PCs by default tried to
boot off any floppy left in the drive when turned on; that, and infected
executables.

~~~
tptacek
No. Attacks against machines running Windows weren't common until the second
half of the '90s. Far and away the most popular targets in the earlier '90s
were NFS servers. And nobody attacked machines by trying to infect them with
boot sector malware.

~~~
barrkel
It depends on what you mean by "attack"; and I include DOS and Win 3.11. In
the early 90s, the most common viruses I saw were infected executables (i.e.
modified programs that when run, searched for other executables to infect) and
boot sector viruses, often both in one.

I worked part-time as a PC technician in the early 90s, building, upgrading
and repairing PCs. I was there :)

