From owner-freebsd-security Mon Jul 20 16:29:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA14830 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:29:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA14816 for ; Mon, 20 Jul 1998 16:29:14 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA26899; Mon, 20 Jul 1998 17:28:53 -0600 (MDT) Message-Id: <199807202328.RAA26899@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 17:28:51 -0600 To: Paul Hart From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807201732.LAA20377@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:57 PM 7/20/98 -0600, Paul Hart wrote: >I will not argue with the statement that C gives you the potential to hurt >yourself. It does. BUT, so do power tools, knives, and blunt objects. >These things can and should be used with care, but we shouldn't >necessarily get rid of them just because people can hurt themselves with >them. The world is a dangerous place, so be careful. My wood shop >teacher in junior high school made us all take a power tool safety course >before we could operate the shop's table saw. And I'll bet he would not have let you use a table saw without a blade guard, or with a broken blade. Nor would he let you rip wood on a radial arm saw, which can kick the work back in your face -- hard. Same thing with C. It's an old, rusty, broken tool without blade guards, and it's not well suited to purpose. Your old shop teacher wouldn't have let it in the shop. >Maybe programmers writing >software that runs as root should be just as careful. ...and boot C out of the shop. >Often times "being careful" just means rethinking your C coding style. >Instead of using strcpy(), use strncpy(). That's not too hard of change, >is it? Well, then why not boot strcpy() out of the library? Bzzzt.... Sorry, history (in other words, prior mistakes) is no excuse. Of course, because of pointer/array equivalence, this wouldn't BEGIN to close the holes. >As a simple example, your entire qpopper problem would have been >non-existent if the programmer would have used vsnprintf() instead of >vsprintf(). Funny what a difference a single character makes. One of the programmers in charge of maintaining that code wrote me as follows just yesterday: You are right about sprintf and vsprintf may cause the overflows. What I did in 2.5 is to contain the external values (mostly user generated) as a quick patch. I guess using those calls for internal data (where the size is known) is safe. In short, time to take the tool out of the shop. If it's even THERE, students unclear on the concept will kill themselves. >Consider Bugtraq and the other popular security mailing lists as required >reading. Absolutely. None of these holes would have taken you by >surprise if you had diligently read these lists. Not necessarily. An exploit can be used long before it hits the lists. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message