From owner-freebsd-security Mon Jul 20 22:08:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA13679 for freebsd-security-outgoing; Mon, 20 Jul 1998 22:08:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA13672 for ; Mon, 20 Jul 1998 22:08:51 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 20 Jul 1998 23:08:34 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma013552; Mon, 20 Jul 98 23:08:13 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.5) id WAA07156; Mon, 20 Jul 1998 22:57:00 -0600 (MDT) Date: Mon, 20 Jul 1998 22:57:00 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807202328.RAA26899@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > One of the programmers in charge of maintaining that code wrote me as > follows just yesterday: > > You are right about sprintf and vsprintf may cause the overflows. > What I did in 2.5 is to contain the external values (mostly user generated) > as a quick patch. I guess using those calls for internal data (where the > size is known) is safe. > > In short, time to take the tool out of the shop. If it's even THERE, students > unclear on the concept will kill themselves. I personally feel the official Qualcomm patch is pretty weak, which is why I have opted to craft my own patch instead. Instead of squashing the bug in pop_msg() by using vsnprintf() instead of vsprintf(), the Qualcomm developers have opted instead to try to limit the length of arguments passed in calls to pop_msg(). Huh? Why not cut to the chase and address the real bug instead of applying lots and lots of Band-Aids all over the place. What if they missed a few calls? It sounds like the developers have not learned from their mistakes. Will it take another nasty spree of root compromises to penetrate their heads? > > Consider Bugtraq and the other popular security mailing lists as required > > reading. Absolutely. None of these holes would have taken you by > > surprise if you had diligently read these lists. > > Not necessarily. An exploit can be used long before it hits the lists. Well, of course. I think we all know that. I was making reference to the qpopper bug specifically, though. Big news scoops like the popper hole have a way of breaking on public lists, despite anybody's best efforts. Were you compromised before or after June 27? The first public posting that I am aware of regarding the vsprintf() overflow in Qualcomm popper was posted to Bugtraq on June 27, 1998. Check it out at: http://www.netspace.org/cgi-bin/wa?A2=ind9806D&L=bugtraq&P=R3472 The first publically posted i386 BSD exploit for this hole that I am aware of was posted to Bugtraq on June 30, 1998 (pretty quick, eh?). Check it out at: http://www.netspace.org/cgi-bin/wa?A2=ind9806E&L=bugtraq&P=R1313 Don't get me wrong ... I'm bummed that you got hacked. BUT, make sure that you aren't letting your emotions get the better of level-headed and rational thinking in response to the compromise. If you were compromised after June 27, 1998, you could have prevented the situation by reading Bugtraq and freebsd-security. The list traffic spiked in volume as a result of the disclosure, so it would have been hard to miss. Trust me on one thing, though. If you can thwart the script kiddies, you'll solve over 99% of your possible problems. It sounds like you weren't hit by a skilled cracker. The ones you don't even know about are the ones you should fear the most, but those are far and away less numerous. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message