Date: Mon, 20 Jul 1998 22:57:00 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <Pine.BSI.3.96.980720220403.7089A-100000@anchovy.orem.iserver.com> In-Reply-To: <199807202328.RAA26899@lariat.lariat.org>
index | next in thread | previous in thread | raw e-mail
On Mon, 20 Jul 1998, Brett Glass wrote:
> One of the programmers in charge of maintaining that code wrote me as
> follows just yesterday:
>
> You are right about sprintf and vsprintf may cause the overflows.
> What I did in 2.5 is to contain the external values (mostly user generated)
> as a quick patch. I guess using those calls for internal data (where the
> size is known) is safe.
>
> In short, time to take the tool out of the shop. If it's even THERE, students
> unclear on the concept will kill themselves.
I personally feel the official Qualcomm patch is pretty weak, which is why
I have opted to craft my own patch instead. Instead of squashing the bug
in pop_msg() by using vsnprintf() instead of vsprintf(), the Qualcomm
developers have opted instead to try to limit the length of arguments
passed in calls to pop_msg(). Huh? Why not cut to the chase and address
the real bug instead of applying lots and lots of Band-Aids all over the
place. What if they missed a few calls? It sounds like the developers
have not learned from their mistakes. Will it take another nasty spree of
root compromises to penetrate their heads?
> > Consider Bugtraq and the other popular security mailing lists as required
> > reading. Absolutely. None of these holes would have taken you by
> > surprise if you had diligently read these lists.
>
> Not necessarily. An exploit can be used long before it hits the lists.
Well, of course. I think we all know that. I was making reference to the
qpopper bug specifically, though. Big news scoops like the popper hole
have a way of breaking on public lists, despite anybody's best efforts.
Were you compromised before or after June 27? The first public posting
that I am aware of regarding the vsprintf() overflow in Qualcomm popper
was posted to Bugtraq on June 27, 1998. Check it out at:
http://www.netspace.org/cgi-bin/wa?A2=ind9806D&L=bugtraq&P=R3472
The first publically posted i386 BSD exploit for this hole that I am aware
of was posted to Bugtraq on June 30, 1998 (pretty quick, eh?). Check it
out at:
http://www.netspace.org/cgi-bin/wa?A2=ind9806E&L=bugtraq&P=R1313
Don't get me wrong ... I'm bummed that you got hacked. BUT, make sure
that you aren't letting your emotions get the better of level-headed and
rational thinking in response to the compromise. If you were compromised
after June 27, 1998, you could have prevented the situation by reading
Bugtraq and freebsd-security. The list traffic spiked in volume as a
result of the disclosure, so it would have been hard to miss.
Trust me on one thing, though. If you can thwart the script kiddies,
you'll solve over 99% of your possible problems. It sounds like you
weren't hit by a skilled cracker. The ones you don't even know about are
the ones you should fear the most, but those are far and away less
numerous.
Paul Hart
--
Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc.
hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.96.980720220403.7089A-100000>