This type of attack overflows a buffer with excessive data, which allows an attacker to run remote shell on the computer and gain the same system privileges granted to the application being attacked.
An attacker can use buffer overflow attacks to corrupt the execution stack of a web application. The attacker sends carefully crafted input to a web application in order to force the web application to execute arbitrary code that allows the attacker to take over the system being attacked.
Web servers or web applications that manage the static and dynamic aspects of a site, or use graphic libraries to generate images, are vulnerable to buffer overflow attacks. Buffer overflow attacks cause system crashes, might place a system in an infinite loop, or execute code on the system in order to bypass a security service.
Signature name | Description | More information |
---|---|---|
HTTP_Accept_Language_Overflow | Detects an overflow in the HTTP ACCEPT field. pam.http.maxaccept:
Maximum length of an HTTP accept field. |
IBM® X-Force: Netscape Enterprise Server contains a buffer overflow in its handling of Accept headers |
HTTP_Apache_DOS | Detects an HTTP URL request containing a large number of slashes /, which might indicate an attempt by an attacker to increase the load average on an Apache httpd server. | IBM X-Force: Apache HTTP server beck exploit |
HTTP_Apache_Header_Memory_DoS | Detects an attempt to DoS a vulnerable apache
HTTP server using a request with carefully crafted HTTP headers. pam.http.header.contspace.limit:
Maximum space beginning HTTP header continuation. |
IBM X-Force: Apache HTTP Server HTTP GET request denial of service |
HTTP_Apache_JK2_Host_Overflow | Detects an attack against Apache web servers that support Jakarta Tomcat Connectors (mod_jk2). | IBM X-Force: Apache mod_jk2 HTTP Host header buffer overflow |
HTTP_Apache_LF_Memory_DoS | Detects an attempt to DoS a vulnerable apache HTTP server using a request containing numerous line feed characters. | IBM X-Force: Apache HTTP Server LF (Line Feed) denial of service |
HTTP_IIS_Tilde_DoS | Detects HTTP URLs that contain a ~ (tilde)
followed by a digit. Known false positives: Any
request to a vulnerable server for a URL that contains ~#,
where # is any digit, will cause this
signature to trigger. Servers are assumed vulnerable until there is
evidence that they are not vulnerable.
Known false negatives: IBM X-Force believes it to be highly unlikely,
although remotely possible, that this vulnerability can be entirely
exploited from the Internet. In such a case, accurate detection and
association of the setup before seeing the pattern associated with
this event is not possible.
|
IBM X-Force: Microsoft Internet Information Services URL parser buffer overflow |
HTTP_LDAP_Mod_Rewrite_BO | Checks for an off-by-one buffer overflow in the LDAP scheme handling function. | IBM X-Force: Apache mod_rewrite off-by-one buffer overflow |
HTTP_Lighttpd_Header_Overflow | Detects HTTP requests that contain long header
data that might allow a remote attacker to execute arbitrary code
on the victim's system by overflowing a buffer in the mod_fastcgi extension
of the Lighttpd server. pam.http.lighttpd.hdr.limit:
Sets the maximum HTTP header size before the HTTP_Lighttpd_Header_Overflow
signature is reported. |
IBM X-Force: lighttpd mod_fastcgi code execution |
HTTP_Netscape_Revlog | Detects an HTTP REVLOG request, which might indicate an attacker's attempt to crash or otherwise disrupt the service of a Netscape Enterprise web server. | IBM X-Force: Netscape Enterprise Server REVLOG denial of service |
HTTP_Oracle2_BO | Detects attempts to overflow a buffer within Oracle Application Server by sending large URL parameters in GET requests to default AS ports. | IBM X-Force: Oracle Application Server emagent.exe buffer overflow |
HTTP_PHPNuke_Index_File | Detects an HTTP URL that contains the string */*.php and that also has an argument that begins with file=http:. | IBM X-Force: PHP-Nuke index.php allows remote attackers to execute arbitrary commands from an included file |
HTTP_PHPNuke_ModulesPhp_DOS | Detects an HTTP URL that contains the string */modules.php and that also has a query string that begins with op=modload&name=../&file=modules. | IBM X-Force: PHP-Nuke modules.php remote denial of service |
HTTP_PHPNuke_Prefix_Admin | Detects an HTTP URL that contains the string */*.php and that also has a query string that begins with prefix=*. | IBM X-Force: PHP-Nuke $prefix variable could allow a remote attacker to gain administrative access |
HTTP_POST_repeated_char | Detects HTTP POST data that contains a repeated character. This might indicate an attacker's attempt to overflow a buffer and execute arbitrary code. | IBM X-Force: HTTP POST contains repeated characters |
HTTP_Tomcat_URI_Overflow | Detects a URI of at least 4096 characters in an HTTP request that might be going to a Tomcat server. | IBM X-Force: Apache Tomcat JK Web Server Connector map_uri_to_worker() buffer overflow |
HTTP_URL_repeated_char | Detects URLs that have a large number of consecutive,
identical characters. Such sequences can indicate an attacker's attempt
to overflow a buffer. pam.name.maxrepeatedchar:
Maximum repeated character for a number of events. |
IBM X-Force: HTTP URL contains repeated characters |
HTTP_WebDAV_Long_Rqst_DOS | Detects a specific HTTP URL. This signature searches for an HTTP WebDAV method PROPFIND or SEARCH with a content-type of 'text/xml' and a content-length of greater than 48000 bytes. This signature replaces HTTP_WebDAV_Overflow. |
IBM X-Force: Microsoft IIS WebDAV long invalid request denial of service |
HTTP_WebDAV_XML_Attribute_DoS | Detects a WebDav command with an unusually large number of XML attributes. This might indicate an attempt to cause a denial of service on some IIS web servers. | IBM X-Force: Microsoft Internet Information Server WebDAV multiple attributes per XML elements cause denial of service |