Date: Thu, 13 Feb 1997 23:50:51 -0700 From: Warner Losh <imp@village.org> To: Vadim Kolontsov <vadim@tversu.ac.ru> Cc: freebsd-security@freebsd.org Subject: Re: new bugs with strcpy() Message-ID: <E0vvHTv-000254-00@rover.village.org> In-Reply-To: Your message of "Wed, 12 Feb 1997 12:51:56 %2B0300." <Pine.NEB.3.95.970212122850.18936A-100000@mailserv.tversu.ac.ru> References: <Pine.NEB.3.95.970212122850.18936A-100000@mailserv.tversu.ac.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.NEB.3.95.970212122850.18936A-100000@mailserv.tversu.ac.ru> Vadim Kolontsov writes: : For example, : static char pathname[MAXPATHLEN]; : sprintf(pathname, "%s/%s", dirp->name, filename); : } : : (of course, tftpd runs as nobody by default, but when you'll get : access to the system you can use another exploit...) And you are overflowing a static buffer which is *MUCH* harder to exploit than the stack overflows that we've read so much about. None the less, I'll be committing a fix for this at some point soon. Can't be too careful :-) : It looks that we need to check whole source tree carefully.. : Or at least apply patches to libc's strcpy() that checks stack frame. Yes. That's true. Such an effort is going on. Thanks for pointing out possible problems... Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vvHTv-000254-00>