Buffer overflow attacks overflow a buffer with excessive data. This type of attack allows an attacker to run remote shell on the computer and gain the same system privileges that are granted to the application that is being attacked.
An attacker uses buffer overflow attacks to corrupt the execution stack of a web application. The attacker sends carefully crafted input to a web application to force the web application to execute arbitrary code that allows the attacker to take over the system that is being attacked.
Web servers or web applications that manage the static and dynamic aspects of a site, or use graphic libraries to generate images, are vulnerable to buffer overflow attacks. Buffer overflow attacks cause system crashes, might place a system in an infinite loop, or execute code on the system to bypass a security service.
| Signature name | Description | More information |
|---|---|---|
| HTTP_Accept_Language_Overflow | Detects an overflow in the HTTP ACCEPT field. pam.http.maxaccept:
Maximum length of an HTTP accept field. |
IBM® X-Force®: Netscape Enterprise Server contains a buffer overflow in its handling of Accept headers |
| HTTP_Apache_DOS | Detects an HTTP URL request that contains many slashes /, which might indicate an attempt by an attacker to increase the load average on an Apache httpd server. | IBM X-Force: Apache HTTP server beck exploit |
| HTTP_Apache_Header_Memory_DoS | Detects an attempt to DoS a vulnerable apache
HTTP server by using a request with carefully crafted HTTP headers. pam.http.header.contspace.limit:
Maximum space beginning HTTP header continuation. |
IBM X-Force: Apache HTTP Server HTTP GET request denial of service |
| HTTP_Apache_JK2_Host_Overflow | Detects an attack against Apache web servers that support Jakarta Tomcat Connectors (mod_jk2). | IBM X-Force: Apache mod_jk2 HTTP Host header buffer overflow |
| HTTP_Apache_LF_Memory_DoS | Detects an attempt to DoS a vulnerable apache HTTP server by using a request that contains numerous line feed characters. | IBM X-Force: Apache HTTP Server LF (Line Feed) denial of service |
| HTTP_IIS_Tilde_DoS | Detects HTTP URLs that contain a ~ (tilde)
followed by a digit. Known false positives: Any
request to a vulnerable server for a URL that contains ~#,
where # is any digit, causes this signature
to trigger. Servers are assumed vulnerable until there is evidence
that they are not vulnerable.
Known false negatives: IBM X-Force believes
it to be highly unlikely, although remotely possible, that this vulnerability
can be entirely exploited from the Internet. In such cases, accurate
detection and association of the setup before you see the pattern
associated with this event is not possible.
|
IBM X-Force: Microsoft Internet Information Services URL parser buffer overflow |
| HTTP_LDAP_Mod_Rewrite_BO | Checks for an off-by-one buffer overflow in the LDAP scheme handling function. | IBM X-Force: Apache mod_rewrite off-by-one buffer overflow |
| HTTP_Lighttpd_Header_Overflow | Detects HTTP requests that contain long header
data that might allow a remote attacker to execute arbitrary code
on the victim's system by overflowing a buffer in the mod_fastcgi extension
of the Lighttpd server. pam.http.lighttpd.hdr.limit:
Sets the maximum HTTP header size before the HTTP_Lighttpd_Header_Overflow
signature is reported. |
IBM X-Force: lighttpd mod_fastcgi code execution |
| HTTP_Netscape_Revlog | Detects an HTTP REVLOG request, which might indicate an attacker's attempt to crash or otherwise disrupt the service of a Netscape Enterprise web server. | IBM X-Force: Netscape Enterprise Server REVLOG denial of service |
| HTTP_Oracle2_BO | Detects attempts to overflow a buffer within Oracle Application Server by sending large URL parameters in GET requests to default AS ports. | IBM X-Force: Oracle Application Server emagent.exe buffer overflow |
| HTTP_PHPNuke_Index_File | Detects an HTTP URL that contains the string */*.php and that also has an argument that begins with file=http:. | IBM X-Force: PHP-Nuke index.php allows remote attackers to execute arbitrary commands from an included file |
| HTTP_PHPNuke_ModulesPhp_DOS | Detects an HTTP URL that contains the string */modules.php and that also has a query string that begins with op=modload&name=../&file=modules. | IBM X-Force: PHP-Nuke modules.php remote denial of service |
| HTTP_PHPNuke_Prefix_Admin | Detects an HTTP URL that contains the string */*.php and that also has a query string that begins with prefix=*. | IBM X-Force: PHP-Nuke $prefix variable could allow a remote attacker to gain administrative access |
| HTTP_POST_repeated_char | Detects HTTP POST data that contains a repeated character. This trigger might indicate an attacker's attempt to overflow a buffer and execute arbitrary code. | IBM X-Force: HTTP POST contains repeated characters |
| HTTP_Tomcat_URI_Overflow | Detects a URI of at least 4096 characters in an HTTP request that might be going to a Tomcat server. | IBM X-Force: Apache Tomcat JK Web Server Connector map_uri_to_worker() buffer overflow |
| HTTP_URL_repeated_char | Detects URLs that have many consecutive, identical
characters. Such sequences can indicate an attacker's attempt to overflow
a buffer. pam.name.maxrepeatedchar:
Maximum repeated character for a number of events. |
IBM X-Force: HTTP URL contains repeated characters |
| HTTP_WebDAV_Long_Rqst_DOS | Detects a specific HTTP URL. This signature searches for an HTTP WebDAV method PROPFIND or SEARCH with a content-type of 'text/xml' and a content-length of greater than 48000 bytes. This signature replaces HTTP_WebDAV_Overflow. |
IBM X-Force: Microsoft IIS WebDAV long invalid request denial of service |
| HTTP_WebDAV_XML_Attribute_DoS | Detects a WebDav command with an unusually large number of XML attributes. This trigger might indicate an attempt to cause a denial of service on some IIS web servers. | IBM X-Force: Microsoft Internet Information Server WebDAV multiple attributes per XML elements cause denial of service |