A perpetrator can exploit a vulnerability in a victim system that enables the perpetrator to run one or more rogue commands on that system. A clever perpetrator can then do almost anything on the compromised system. One of the most common ways to run rogue commands is to create a buffer overflow condition. A buffer overflow condition results from more input being received than there is available memory, often causing the excess input to overwrite commands in memory that are waiting to be executed. Not only can existing commands be overwritten, if done correctly, the attacker's commands will be positioned in the buffer so that they are actually executed.

One of the most common methods of running unauthorized commands on victim systems is exploiting the Berkeley Internet Name Domain server (BIND). BIND is the most commonly deployed implementation of the domain name system (DNS). DNS is an essential Internet service in that it enables systems to locate other systems simply by using hostnames (for example, system.domain.co), converting each hostname to an IP address such as 131.243.2.3 (or vice versa). Functions within certain versions of BIND, including nxt, qinv, in.named, and others, have a number of exploitable bugs that can result in outcomes such as a buffer overflow, resulting in the capability to execute commands with root (superuser) privileges. For example, some versions of BIND do not correctly validate NXT records. An attacker can consequently send a huge amount of input in these records to cause a buffer overflow and then run a rogue program at the same privilege level that the name server has.

Attackers who initiate BIND attacks seldom stop after exploiting one or more vulnerabilities. They also frequently purge system logs to cover their tracks and then (if they have not already gained root access) download and run tools to obtain a root shell. Next they run network-scanning tools to locate other systems with the same BIND vulnerabilities, and then they attack these systems in the same manner. The toll in terms of number of machines compromised within a short period of time is often very high.

BIND attacks pose a very serious risk factor because of the prevalence of BIND on the Internet. In fact, a consensus effort to determine the exploited vulnerabilities identified BIND-based attacks as the most frequent (see the next sidebar). Both Linux and UNIX systems are vulnerable to BIND attacks.

Unauthenticated remote users might also be able to run rogue code on systems that run unpatched versions of LPRng. LPRng is a frequently used software package in FreeBSD UNIX and certain versions of Linux, and it replaces the Berkeley Standard Distribution (BSD) lpd printing service. This software has a format string vulnerability, a problem caused by missing format strings in function calls. Format strings help ensure that received input is processed properly. This vulnerability enables user-supplied arguments to be passed to a susceptible function call.