From owner-freebsd-security Tue Aug 29 16:29:47 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id QAA28699 for security-outgoing; Tue, 29 Aug 1995 16:29:47 -0700 Received: from kryten.atinc.com (kryten.Atinc.COM [198.138.38.7]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id QAA28692 for ; Tue, 29 Aug 1995 16:29:39 -0700 Received: (jmb@localhost) by kryten.atinc.com (8.6.9/8.3) id TAA16254; Tue, 29 Aug 1995 19:23:37 -0400 Date: Tue, 29 Aug 1995 19:23:36 -0400 (EDT) From: "Jonathan M. Bresler" Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) To: Bruce Evans cc: security@freebsd.org In-Reply-To: <199508291811.EAA28657@godzilla.zeta.org.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Wed, 30 Aug 1995, Bruce Evans wrote: > >from a quick persual of the syslog.c that we have in -stable, i'd say > >that FreeBSD is vunerable to this attack. our syslog has fixed size > >buffers and uses sprintf to write to them. should be changed to > >snprintf--a quick persual says that should do the trick > > >shades of rtm > > Anyone for execute-protected data by default if the machine can support > it? Programs that want to execute data should have to request it and > everything else would be more secure. the segment descriptors support the text (code) vs data identification. this would be a big win regarding security (and writing to wild pointers that hit your own code segment ;) we should still examine all the system libraries for similar problems (buffer overrun). this was the exact same problem that rtm used to compromise fingerd, it used gets(), syslog() used sprintf(). > > Bruce > Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. FreeBSD Postmaster jmb@FreeBSD.Org | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346