From owner-freebsd-security Mon Jul 20 14:09:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14823 for freebsd-security-outgoing; Mon, 20 Jul 1998 14:09:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14805 for ; Mon, 20 Jul 1998 14:09:24 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 20 Jul 1998 15:09:08 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma004724; Mon, 20 Jul 98 15:09:03 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.5) id OAA06622; Mon, 20 Jul 1998 14:57:53 -0600 (MDT) Date: Mon, 20 Jul 1998 14:57:53 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807201732.LAA20377@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > I would argue that the real problem is unsafe tools. C and its libraries > have, from the start, been rusty, and unsafe, with no safeguards against > cutting one's head off. I will not argue with the statement that C gives you the potential to hurt yourself. It does. BUT, so do power tools, knives, and blunt objects. These things can and should be used with care, but we shouldn't necessarily get rid of them just because people can hurt themselves with them. The world is a dangerous place, so be careful. My wood shop teacher in junior high school made us all take a power tool safety course before we could operate the shop's table saw. Maybe programmers writing software that runs as root should be just as careful. Often times "being careful" just means rethinking your C coding style. Instead of using strcpy(), use strncpy(). That's not too hard of change, is it? As a simple example, your entire qpopper problem would have been non-existent if the programmer would have used vsnprintf() instead of vsprintf(). Funny what a difference a single character makes. > > I don't want to seem callous to your plight because I know how you must > > feel, but does not the old adage "once bitten, twice shy" apply to your > > situation? You were hacked. Now you know better. Can we assume that > > this will not happen again? > > No, we can't. I'm sure there will be more holes -- both in third party > utilities and in FreeBSD itself -- that will leave my system vulnerable. I don't doubt that programmers will continue to crank out buggy software. However, I think you can more or less effectively protect yourself from crackers without powering down and unplugging your machine permanently. Consider Bugtraq and the other popular security mailing lists as required reading. Absolutely. None of these holes would have taken you by surprise if you had diligently read these lists. Most of these crackers are immature "script kiddies" that simply download prepackaged exploits off sites like http://www.rootshell.com and then roam the Internet looking for windows to smash in. Their skill level is remarkably low, and sooner or later they'll get caught. As a case in point, I work in a setting where we have thousands (8000+) of untrusted users with shell access to our server machines. The machines are running BSDI, but for the purposes of this discussion they are identical to machines running FreeBSD. We are a ROUTINE target of script kiddie attacks. If we were not vigilant about security, we would have been "0wn3d" long ago. But we are vigilant. It is surprising how bland our little wannabe hackers are. They always use the same boring exploit code, directly taken from Rootshell or Bugtraq, and they always try the same old stunts, which of course, do not work. If you maintain that two or three day lead time on the script kiddies and patch stuff as soon as it is exposed on Bugtraq, you should be relatively safe. Your mileage may vary, of course, but that's a safe lead time figure. IMO, if you are safe against everything at Rootshell, then you're safe against 99.99% of what will ever come your way. Perhaps you should panic about the other .01%, but that's why you have an emergency plan to recover in the case of an catastrophe, right? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message