This paper examines attacks against daemons. Daemons are software programs which are part of an operating system. As discussed below, they are by their nature imperfect. Because many daemons are responsible for the transmission of data between systems on the Internet, the design flaws and errors in these program are often exploited by crackers looking for a way into systems.
A modern operating system consists of a series of separate software programs. Each program is designed to handle a specific task. In Unix operating systems these programs are called processes. Processes can be foreground or background programs. Foreground processes interact with the terminal, talking to the user. Background processes run unseen by the users. They handle tasks which do not need user input or take to long for the user to wait. "Daemons are processes that execute in the background in order to: provide services to remote users, and perform internal bookkeeping and monitor security." [1] There are hundreds of daemon programs. Some such as SendMail, FTP, and Telnet are major communication tools on Internet connected servers. Others offer basic utilities in a Unix environment, such as printing and remote login. The critical role that daemons play in communications and security make them a part of the operating system that attackers look to exploit.
Many of the most popular daemons are large and complicated software programs. They have been in use for decades and are often revised and modified to stay current with new technology. As with all large software programs, it is impossible to test their operation so as to guarantee perfection. With software, "no amount of testing, no matter how thorough, can ever prove the product is defect-free." [2] The QA (Quality Assurance) testing process will assure a certain level of confidence in the operation of a program, but it can never guarantee perfection.
Errors left in the program code can be thought of as two types. First are quirks or design flaws. These are not serious programming errors. They are instances where the program gives unexpected results which may then be exploited by an attacker. The second type of imperfection is more serious. These are coding errors or bugs. Under certain conditions, the program does not function as it was designed to. Some examples of these two types of imperfections are discussed below.
Some daemon problems are simple quirks or design flaws in a program. An example is the remote login command, rlogin. When a login attempt fails because of a bad password, an error message is given. But the error message is slightly different if a real login name is used versus an invalid username. [3] The finger command has this same quirk. In ffingerd 1.19, if you finger an non-existent user, a period is added to the error message. [4] These little imperfections allow an attacker to identify legitimate login names. While this does not give access to a system, it may be the first step in an attack. Now the attacker can begin searching for passwords for these users.
A more dangerous flaw in a daemon is an outright error. The program does not behave as it was designed to. There are hundreds of these known problems. The hacker web site www.hobbie.net lists page after page of bugs, often with the necessary C code to exploit the bug. [5] Many of these attacks give the attacker root access to the target system. While many different types of programming errors are targeted in these attacks, by far the most common attack technique is a buffer overflow.
"In essence, a buffer overflow occurs when too much data is stuffed into a memory space. They are common in applications written in C. Gerhard Eschelbeck, vice president of engineering at Redwood Shores, Calif.-based Qualys Inc., compares buffer overflows to people filling in handwritten forms that allow one space for each letter of a person's name. A buffer overflow is similar to what happens when the writer does not having enough blocks for one's last name, he said. The extra "letters" or data aren't lost but written into other places in memory. This could cause the application to act oddly or shut down, creating a denial-of-service condition. It can also allow an attacker to run malicious code on the system." [6] By knowing how to create an overflow in a program, an attacker can write directly into the operating system's memory. The right code dropped into the correct spot in memory, can cause unexpected results. It may crash a process leaving the system in a vulnerable position or it may even direct an operating system to run a new process written by the attacker.
New program bugs are constantly being discovered. A recent example is "a buffer overflow in the Solaris line printer daemon (in.lpd) that may allow a remote or local attacker to crash the daemon or execute arbitrary code with super user privilege. This daemon runs with root privileges by default on all current Solaris versions." [7]
Daemons are large software programs, which by the very nature of programming will be prone to various bugs, errors, and imperfections. Because these programs control the communications links of network servers, attackers can exploit the weaknesses in daemons to gain entry and control of systems.
From the programming side, there is a need for better testing tools and more secure programming techniques. This is particularly true with buffer overflows. "It's assumed that someone programming in C would include error-checking in their code. Other languages such as Perl and Java have the utility, hence buffer overflows don't occur. On the other hand, Perl and Java don't offer access to the system that is as deep as some programs need. ... Better programmer training and education would minimize buffer overflows. Certain C functions such as string copy need to be avoided in order to minimize buffer overflows. There are code-auditing tools that look for such flaws, but they are still pretty early in their development." [8]
For the user, the best defense against these attacks is for systems administrators to be vigilant in maintaining software patches and to not use less secure or outdated daemon programs. The SANs / FBI Top 20 List [9] is a good starting place for administrators worried about daemon exploits. This list of the 20 most critical vulnerabilities includes many daemon imperfections, most of them buffer overflow problems.