[Sinned]

Hello everyone,

I'm working on a server, running on a linux OS.
I'm developing it in C/C++.

Now I read something about worms, so I got worrying.
I've read they send code to the server and the server executes this.

But why should a server-program execute this code?
When a server only reads the client input into a "char*", and handle the bytes, this doesn't get executed, does it?

But because worms have been (and still are) a problem, I wonder why this could be a problem.

I hope someone could explain me something about this topic, so I can make my server resistant.

Thanks in advance,

Sinned

[Martyr2]

Computer worms move through networks using replication, not remote code execution. It isn't that a computer sends a server char * and it executes that statement it is that a computer program is sent to the server and stored. From there it is then transmits the program to other computers.

The danger here is that once the program is sitting on a computer it can open up a channel to the attacker and accept commands to do something within the system.

It would be like I give you a program called abc.exe and you (the server) gladly save it to your hard drive. Without you knowing abc.exe then sends itself to your friend to save. At some later time abc.exe executes and does something like launch a virus or open a TCP connection back to me and I tell it to do things for me like monitor for passwords being thrown around on the network or phishing etc.

Worms are typically a bit easier to detect and destroy since they aren't really attached to other executable files. Where a virus attaches itself to other files that may be legit. Worms can also be detected during transit and stopped by packet filtering or at a hardware level in routers etc.

I hope that clears things up for you.

This post has been edited by Martyr2: 10 January 2012 - 11:51 AM

[Sinned]

It clears things up a bit.

But I still got some questions.

In 2001 there was a worm detected, this was called "Code Red".
Code Red sends requests to web-servers.
And by my knowledge web-servers doesn't store anything coming from the client.

Also, even if the executable worm file was stored on the server, it does not have to get executed. ?
A file is just an amount of bytes, if the server handles it like this, it still has nothing to worry about, does it?

I hope you could explain me a bit more about this?

[modi123_1]

Quote

And by my knowledge web-servers doesn't store anything coming from the client.

Sure.. but remember it's a computer system.. *some how* files are installed on it, right? FTP, drag and drop, email, or even executable code can reside in memory.. or hell just have the computer/server reach out to infected file as the file would reside somewhere else!

Quote

Also, even if the executable worm file was stored on the server, it does not have to get executed. ?

No.. it needs to be executed or at least a process running in memory.

Quote

A file is just an amount of bytes, if the server handles it like this, it still has nothing to worry about, does it?

No.. there's plenty of working to do.

Essentially it means you keep your crap updated... security patches, firewall patches, etc. Limit user access and harden accounts.

[GunnerInc]

Quote

But why should a server-program execute this code?

Simple answer - Buffer overflows. (Which boils down to sloppy programming)

That is why you should always make sure your software is up to date. Exploits are found and fixed.
You could use shellcode to root a server or run commands. NOP sleds are interesting.

[Sinned]

modi123_1, on 10 January 2012 - 02:10 PM, said:

Quote

Also, even if the executable worm file was stored on the server, it does not have to get executed. ?

No.. it needs to be executed or at least a process running in memory.

I'm sorry, I formulated this question wrong.
I meant: Only a file gets stored, this does never get executed, so what is the problem?

But so you all are saying, the only dangerous things are tools like SSH and FTP?

Or buffer overflow, which I definitely have to prevent in my code.

Then I almost understand it, and how I can protect my server.

But I still don't understand:
How could the overflow in a buffer gets executed?

[modi123_1]

Wait.. so cross site scripting, forcing a process to access an external file... the users... exploits that access a file... these don't exist on your system? Amazing!

Quote

I meant: Only a file gets stored, this does never get executed, so what is the problem?

You don't have files on your system that get executed? Never? Never is an OS running? Never is a file served? A process that spins up? Nothing at all?

Quote

How could the overflow in a buffer gets executed?

The traditional way is a buffer is flooded and execution is jumped to a malicious application.

[Sinned]

modi123_1, on 11 January 2012 - 07:46 AM, said:

Wait.. so cross site scripting, forcing a process to access an external file... the users... exploits that access a file... these don't exist on your system? Amazing!

Yes, it is amazing!

My server isn't built as http-server, but however a server is a server, such as a http-server.

And no, my server isn't accessing any files, only it's own and some shared libraries.
So the only file loading happens native by the OS (loading libraries).
For storing all information I use MySQL databases. (Which is located elsewhere)
And my server really does not call an other executable file on the disk.

modi123_1, on 11 January 2012 - 07:46 AM, said:

Quote

I meant: Only a file gets stored, this does never get executed, so what is the problem?

You don't have files on your system that get executed? Never? Never is an OS running? Never is a file served? A process that spins up? Nothing at all?

Such as I said, only the OS, and my only files gets executed.
By my knowledge nobody can add a file to my system, which should possibly could get invoked on start-up.

And the processes which are spinning up is just the OS, and my server, which doesn't execute anything else after it.

modi123_1, on 11 January 2012 - 07:46 AM, said:

Quote

How could the overflow in a buffer gets executed?

The traditional way is a buffer is flooded and execution is jumped to a malicious application.

I don't really understand why this should get executed, but if so many say it does, I believe it (without knowing why).
But I will do my best to prevent buffer overflow.

But so, my server should be completely safe, and not susceptible for a worm?

This post has been edited by Sinned: 11 January 2012 - 08:07 AM

[modi123_1]

Quote

My server isn't built as http-server, but however a server is a server, such as a http-server.

Okay dude, I don't get what you are saying. Explain the setup of this box.

Quote

And no, my server isn't accessing any files, only it's own and some shared libraries.

... and that's enough.

Quote

So the only file loading happens native by the OS (loading libraries).

That's enough to exploit.

Quote

For storing all information I use MySQL databases. (Which is located elsewhere)

That's enough to exploit.

Quote

And my server really does not call an other executable file on the disk.

That's enough to exploit.

Quote

Such as I said, only the OS, and my only files gets executed.

That's enough to exploit.

Quote

By my knowledge nobody can add a file to my system, which should possibly could get invoked on start-up.

Famous last words.

Quote

And the processes which are spinning up is just the OS, and my server, which doesn't execute anything else after it.

That's enough to exploit.

Quote

I don't really understand why this should get executed, but if so many say it does, I believe it (without knowing why).
But I will do my best to prevent buffer overflow.

The gist is you push enough of a specific command into a buffer and at the end a file location and an execute command. The buffer jumps through those specific commands and then hits the execute and does it.

Quote

But so, my server should be completely safe, and not susceptible for a worm?

Sure.. yeah.. what ever. Go read up on worms and virus vectors.

[Sinned]

Yeah, I don't really know anything about viruses and worms.

So I posted this topic, to let me explain something about it.

But you say:
When a computer is running an Operating System and is connected to the internet, a worm can get in.

And then my server is the second point of worrying.

But this is just the thing I don't understand.
By my knowledge a file only gets executed when someone orders him to do.
And also a file could get written when someone give orders to do that.

modi123_1, on 11 January 2012 - 08:29 AM, said:

Quote

But so, my server should be completely safe, and not susceptible for a worm?

Sure.. yeah.. what ever. Go read up on worms and virus vectors.

Do you have a suggestion where to find information about worms and viruses?

[modi123_1]

Quote

Yeah, I don't really know anything about viruses and worms.
So I posted this topic, to let me explain something about it.

*sigh* I thought smelled uninformed... So you are just making assumptions and flailing your hands around saying you have taken measures. Ah.. good to know.

You still haven't explained your server box at any level.

Quote

But you say:
When a computer is running an Operating System and is connected to the internet, a worm can get in.

yes.. a machine can be cracked or exploited.

Quote

But this is just the thing I don't understand.
By my knowledge a file only gets executed when someone orders him to do.
And also a file could get written when someone give orders to do that.

Yes.. and the person giving those orders is the person attacking your machine... or an idiot user... or a sibling.. or an unpatched process.

Quote

Do you have a suggestion where to find information about worms and viruses?

Good is always good. Just search "how does a worm work" and drop the the ones talking about the worms in the dirt. I mean seriously - this is a giant and open topic. It's not some niche subset... the research burden's on you.

[Sinned]

Alright, I'll look for information about worms.

modi123_1, on 11 January 2012 - 08:59 AM, said:

You still haven't explained your server box at any level.

Here it is:

Spoiler

The server-machine (hardware) itself isn't very special.
Technically seen it's a weak mini-PC, with a motherboard, CPU, 256MB Ram and 256MB flash-memory.
But (I think) hardware doesn't have very much to do with security.

The OS running on it is Debian 3.1
(This is an old OS, but a new OS can't run on the old server)
There is SSH installed on it (the SSH-port is only intern accessible, and I trust siblings - who also don't know the password)
Also "Make", "g++" and "gcc" are installed.
I think that's all, I believe a clean PC.

The server-software I'm writing myself in C/C++.
For now it only does:

Open server socket:
 while(true)
  accept socket, and give this to another thread.
  secure this socket with SSL (with self-signed certificate)
  reading the username and password from the client, compare this with the defined user data.
  sending response, if user data was okay or not.
  close connection

That's it, not very risky (I think), I watch out for overflows and leaks.

And only the port for the server is forwarded in the router, so this is the only accessible port from outside.

And again very thanks for the feedback and help on my - maybe a bit stupid - questions.

[GunnerInc]

Quote

And then my server is the second point of worrying.

No, your server is the FIRST point of worry; not the OS, not the mouse munching on cheese over in the corner. Your server is what interacts with the internet before your OS.

Quote

I don't really understand why this should get executed, but if so many say it does, I believe it (without knowing why).
But I will do my best to prevent buffer overflow.

It would behoove you to learn about buffer exploits and the many exploits if you are writing a server. Most buffer exploits happen with the stack, since that is the easiest place to overwrite ESP.

[Sinned]

GunnerInc, on 11 January 2012 - 05:08 PM, said:

Quote

And then my server is the second point of worrying.

No, your server is the FIRST point of worry; not the OS, not the mouse munching on cheese over in the corner. Your server is what interacts with the internet before your OS.

I didn't know that.
I thought a machine should only do something, like connecting to the internet, if someone (like the OS) orders him to.
So if a computer doesn't start-up from LAN, why should it connect to the internet?
And mostly I see, when Linux boots, it configures "DHCP" at one of the last things.

I think I understand too little about this part of computer security.
Here is my view on computers (in steps, what is happening by doing something):

Spoiler

A computer is off, a LAN cable is plugged in, and it's power is plugged in.
Only at the moment a human presses the "on" button, a process starts up (bootloader).
This process can only start-up because it's powered.
The things this process do:
- Copy booting info into the memory (this is the first part of the OS)
- The OS starts up, it configures a few basic functions.
- The LAN cable is just a cable with two lines of metal. (I suppose copper )
- The machine sends a few little shocks over this line, these are the bits containing the MAC address from the computer.
- The router returns 2 bytes (16 bits) which contain the last two bytes of the internal IP. (192.168.x.x)
- Now the "internet-connection" is established.
- So when the router sends bytes to it, it checks for which "serversocket" process it's mentioned, and give through these bits.
When now a program starts up. (For example SSH, automatically starts up)
- The main-function in the main-class of SSH is loaded into the RAM. (this comes from the data-storage - HDD)
- And the CPU executes the function, this function calls a few other classes, which has to load from the data-storage.
- SSH opens a server socket, which waits for bits coming in. (On port 22)
- When the computer now receives the data (from the router) for "give 1010001010111010 to port 22", here is SSH running, SSH receives these bits.
- If there isn't running an process on the port, the server returns a "No service running on port X" to the router. (So these bits gets never handled)
- So all these bits come to the SSH server and gets handled.
- The SSH responses to the incoming bits, and sends "10001001" back to the router. (Which end up at the client)

I believe this is all what is happening with a server socket.
So I don't understand why a worm or hacker can get in the PC.
The only way to connect to a PC is on running services on ports.
If the server program is written good, without leaks, there is no harm.

So this is how I think about computers.
I don't understand how it can get harmed if everything should work fairly.

[modi123_1]

Quote

I believe this is all what is happening with a server socket.
So I don't understand why a worm or hacker can get in the PC.

As I said - the malicious program tells it to! A server has to be administered.. those administration doors create holes that are exploitable.

Quote

The only way to connect to a PC is on running services on ports.
If the server program is written good, without leaks, there is no harm.

In an ideal world sure, but code is often not written to perfection... not to mention the intentional holes given by administrators. Then there's updates... people like having new stuff. More efficient.. faster serving.. etc. Those updates then might not work fine with the existing code base... or they might introduce holes. You expect computers to be some sort of closed system - well stop thinking that.

Quote

So this is how I think about computers.
I don't understand how it can get harmed if everything should work fairly.

Then you should take off the rose colored glasses and get out of the idealized world. The only certain way to not get attacked via your connection is to unplug the system from the net or any network attached to the net.