Topic 20, Buffer Overflows
StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and
Microsofts /GS option use _____ defense against buffer overflow attacks.
A.
Canary
B.
Hex editing
C.
Format checking
D.
Non-executing stack
Canary
Explanation: Canaries or canary words are known values that are placed between a buffer
and control data on the stack to monitor buffer overflows. When the buffer overflows, it will
clobber the canary, making the overflow evident. This is a reference to the historic practice
of using canaries in coal mines, since they would be affected by toxic gases earlier than the
miners, thus providing a biological warning system.
Joseph was the Web site administrator for the Mason Insurance in New York, who's
main Web site was located at www.masonins.com. Joseph uses his laptop computer
regularly to administer the Web site. One night, Joseph received an urgent phone
call from his friend, Smith. According to Smith, the main Mason Insurance web site
had been vandalized! All of its normal content was removed and replaced with an
attacker's message ''Hacker Message: You are dead! Freaks!''
From his office, which was directly connected to Mason Insurance's internal
network, Joseph surfed to the Web site using his laptop. In his browser, the Web site
looked completely intact. No changes were apparent. Joseph called a friend of his at
his home to help troubleshoot the problem. The Web site appeared defaced when his
friend visited using his DSL connection. So, while Smith and his friend could see the
defaced page, Joseph saw the intact Mason Insurance web site. To help make sense
of this problem, Joseph decided to access the Web site using his dial-up ISP. He
disconnected his laptop from the corporate internal network and used his modem to
dial up the same ISP used by Smith. After his modem connected, he quickly typed
www.masonins.com in his browser to reveal the following web page:
H@cker Mess@ge:
Y0u @re De@d! Fre@ks!
After seeing the defaced Web site, he disconnected his dial-up line, reconnected to
the internal network, and used Secure Shell (SSH) to log in directly to the Web
server. He ran Tripwire against the entire Web site, and determined that every
system file and all the Web content on the server were intact.
How did the attacker accomplish this hack?
A.
ARP spoofing
B.
SQL injection
C.
DNS poisoning
D.
Routing table injection
DNS poisoning
Explanation: External calls for the Web site has been redirected to another server by a
successful DNS poisoning.
You have been using the msadc.pl attack script to execute arbitrary commands on
an NT4 web server. While it is effective, you find it tedious to perform extended
functions. On further research you come across a perl script that runs the following
msadc functions:
What kind of exploit is indicated by this script?
A.
A buffer overflow exploit.
B.
A SUID exploit.
C.
A SQL injection exploit.
D.
A chained exploit.
E.
A buffer under run exploit.
A chained exploit.
Which of the following statements about a zone transfer correct?(Choose three.)
A.
A zone transfer is accomplished with the DNS
B.
A zone transfer is accomplished with the nslookup service
C.
A zone transfer passes all zone information that a DNS server maintains
D.
A zone transfer passes all zone information that a nslookup server maintains
E.
A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F.
Zone transfers cannot occur on the Internet
A zone transfer is accomplished with the DNS
A zone transfer passes all zone information that a DNS server maintains
A zone transfer can be prevented by blocking all inbound TCP port 53 connections
Explanation: Securing DNS servers should be a priority of the organization. Hackers
obtaining DNS information can discover a wealth of information about an organization. This
information can be used to further exploit the network.
Bob has a good understanding of cryptography, having worked with it for many
years. Cryptography is used to secure data from specific threats but it does not
secure the data from the specific threats but it does no secure the application from
coding errors. It can provide data privacy; integrity and enable strong authentication
but it can’t mitigate programming errors. What is a good example of a programming
error that Bob can use to explain to the management how encryption will not
address all their security concerns?
A.
Bob can explain that using a weak key management technique is a form of programming
error
B.
Bob can explain that using passwords to derive cryptographic keys is a form of a
programming error
C.
Bob can explain that a buffer overflow is an example of programming error and it is a
common mistake associated with poor programming technique
D.
Bob can explain that a random number generation can be used to derive cryptographic
keys but it uses a weak seed value and this is a form of a programming error
Bob can explain that a buffer overflow is an example of programming error and it is a
common mistake associated with poor programming technique
Explanation: In computer security and programming, a buffer overflow, or buffer overrun,
is a programming error which may result in a memory access exception and program
termination, or in the event of the user being malicious, a possible breach of system
security.
SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or False)
A.
True
B.
False
True
Explanation: TCP and UDP provide transport services. But UDP was preferred. This is
due to TCP characteristics, it is a complicate protocol and it consume to many memory and
CPU resources. Where as UDP is easy to build and run. Into devices (repeaters and
modems) vendors have built simple version of IP and UDP.
Which programming language is NOT vulnerable to buffer overflow attacks?
A.
Java
B.
ActiveX
C.
C++
D.
Assembly Language
Java
Explanation: Perl and Java has boundary checking, hence buffer overflows don't occur.
On the other hand, Perl and Java dont offer access to the system that is as deep as some
programs need
A network admin contacts you. He is concerned that ARP spoofing or poisoning
might occur on his network. What are some things he can do to prevent it?
Select the best answers.
A.
Use port security on his switches.
B.
Use a tool like ARPwatch to monitor for strange ARP activity.
C.
Use a firewall between all LAN segments.
D.
If you have a small network, use static ARP entries.
E.
Use only static IP addresses on all PC's.
Use port security on his switches.
Use a tool like ARPwatch to monitor for strange ARP activity.
If you have a small network, use static ARP entries.
Explanation: Explanations:
By using port security on his switches, the switches will only allow the first MAC address
that is connected to the switch to use that port, thus preventing ARP spoofing. ARPWatch
is a tool that monitors for strange ARP activity. This may help identify ARP spoofing when it
happens. Using firewalls between all LAN segments is possible and may help, but is
usually pretty unrealistic. On a very small network, static ARP entries are a possibility.
However, on a large network, this is not an realistic option. ARP spoofing doesn't have
anything to do with static or dynamic IP addresses. Thus, this option won't help you.
Which of the following built-in C/C++ functions you should avoid to prevent your
program from buffer overflow attacks?
A.
strcpy()
B.
strcat()
C.
streadd()
D.
strscock()
strcpy()
strcat()
streadd()
Explanation: When hunting buffer overflows, the first thing to look for is functions which
write into arrays without any way to know the amount of space available. If you get to
define the function, you can pass a length parameter in, or ensure that every array you
ever pass to it is at least as big as the hard-coded maximum amount it will write. If you're
using a function someone else (like, say, the compiler vendor) has provided then avoiding
functions like gets(), which take some amount of data over which you have no control and
stuff it into arrays they can never know the size of, is a good start. Make sure that functions
like the str...() family which expect NUL-terminated strings actually get them - store a \0 in
the last element of each array involved just before you call the function, if necessary.
Strscock() is not a valid C/C++ function.
A simple compiler technique used by programmers is to add a terminator 'canary
word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that
most string operations are terminated. If the canary word has been altered when the
function returns, and the program responds by emitting an intruder alert into syslog,
and then halts what does it indicate?
A.
The system has crashed
B.
A buffer overflow attack has been attempted
C.
A buffer overflow attack has already occurred
D.
A firewall has been breached and this is logged
E.
An intrusion detection system has been triggered
A buffer overflow attack has been attempted
Explanation: Terminator Canaries are based on the observation that most buffer overflows
and stack smash attacks are based on certain string operations which end at terminators.
The reaction to this observation is that the canaries are built of NULL terminators, CR, LF,
and -1. The undesirable result is that the canary is known
What is the following command used for?
net use \targetipc$ "" /u:""
A.
Grabbing the etc/passwd file
B.
Grabbing the SAM
C.
Connecting to a Linux computer through Samba.
D.
This command is used to connect as a null session
E.
Enumeration of Cisco routers
This command is used to connect as a null session
Explanation: The null session is one of the most debilitating vulnerabilities faced by
Windows. Null sessions can be established through port 135, 139, and 445.
Choose one of the following pseudo codes to describe this statement:
If we have written 200 characters to the buffer variable, the stack should stop
because it cannot hold any more data.
A.
If (I > 200) then exit (1)
B.
If (I < 200) then exit (1)
C.
If (I <= 200) then exit (1)
D.
If (I >= 200) then exit (1)
If (I >= 200) then exit (1)
| Page 20 out of 64 Pages |
| Previous |