Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Aug 1995 19:23:36 -0400 (EDT)
From:      "Jonathan M. Bresler" <jmb@kryten.Atinc.COM>
To:        Bruce Evans <bde@zeta.org.au>
Cc:        security@freebsd.org
Subject:   Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd)
Message-ID:  <Pine.3.89.9508291953.B15948-0100000@kryten.atinc.com>
In-Reply-To: <199508291811.EAA28657@godzilla.zeta.org.au>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 30 Aug 1995, Bruce Evans wrote:

> >from a quick persual of the syslog.c that we have in -stable, i'd say 
> >that FreeBSD is vunerable to this attack.  our syslog has fixed size 
> >buffers and uses sprintf to write to them.  should be changed to 
> >snprintf--a quick persual says that should do the trick
> 
> >shades of rtm
> 
> Anyone for execute-protected data by default if the machine can support
> it?  Programs that want to execute data should have to request it and
> everything else would be more secure.

	the segment descriptors support the text (code) vs data 
identification.  this would be a big win regarding security (and writing 
to wild pointers that hit your own code segment ;)

	we should still examine all the system libraries for similar 
problems (buffer overrun).  this was the exact same problem that rtm used 
to compromise fingerd, it used gets(), syslog() used sprintf().


> 
> Bruce
> 

Jonathan M. Bresler  jmb@kryten.atinc.com       | Analysis & Technology, Inc.  
FreeBSD Postmaster   jmb@FreeBSD.Org            | 2341 Jeff Davis Hwy
play go.                                        | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life      | 703-418-2800 x346




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.3.89.9508291953.B15948-0100000>