Date: Tue, 21 Jul 1998 10:06:11 +0100 (BST) From: Jay Tribick <netadmin@fastnet.co.uk> To: Andrew McNaughton <andrew@squiz.co.nz> Cc: Garance A Drosihn <drosih@rpi.edu>, Paul Hart <hart@iserver.com>, Brett Glass <brett@lariat.org>, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <Pine.BSF.3.96.980721100246.5652P-100000@bofh.fast.net.uk> In-Reply-To: <Pine.BSF.3.96.980721190200.2273O-100000@aniwa.sky>
next in thread | previous in thread | raw e-mail | index | archive | help
| > It is not a hard change. That, however, is no consolation to anyone
| > nailed by this. The fact is that QPOPPER did use vsprintf, and that
| > (apparently) no one noticed it. It wasn't *Brett's* coding style that
| > will cause *Brett* to lose a few weeks of time here.
| >
| > Perhaps we could think up some changes which would make these bad
| > coding decisions much more obvious. And if we do that, then maybe we
| > catch more of them before getting bitten by them, instead of after the
| > fact. I don't mean to be inflammatory here, I just wonder if there's
| > some changes which could be made which would safe "future Brett's" from
| > losing a large chunk of time.
|
| -- cut --
| #!/bin/sh
| for i in `ls /bin/* /usr/bin/* /usr/local/bin/*`
| do
| strings $i | grep vsprintf | sed -e "s|^|$i: |"
| done
|
| -- cut --
You think that's bad?
su-2.01# find /bin /sbin /usr/bin /usr/sbin /usr/local/sbin /usr/local/bin
-perm -4000 | awk '{ print "strings "$1" | grep vsprintf | sed -e
\"s|^|"$1": |\"" }' >temp
su-2.01# sh ./temp
/usr/sbin/pppd: _vsprintf
/usr/local/sbin/amcheck: _vsprintf
/usr/local/bin/ssh: _vsprintf
I haven't had chance to look at the ssh code but why would it
need to use vsprintf?? And also, why is it installed suid root?
Amcheck's even more worrying (part of the Amanda backup distrib.)
Mind you, none of these take input from STDIN or any other
means so it would probably be a lot harder to exploit.
su-2.01# uname -a
FreeBSD server1.fastnet.co.uk 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon
Jun 22 17:33:00 BST 1998
kronus@anarchy.fast.net.uk:/usr/src/sys/compile/ANARCHY i386
su-2.01#
Regards,
Jay Tribick
[| Network Administrator | FastNet International | http://fast.net.uk/ |]
[| Finger netadmin@fastnet.co.uk for contact information |]
[| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980721100246.5652P-100000>