From owner-freebsd-audit Tue Dec 7 10:58:13 1999 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 20DD514D42 for ; Tue, 7 Dec 1999 10:58:06 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA17811; Tue, 7 Dec 1999 13:58:00 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 7 Dec 1999 13:57:59 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: tstromberg@rtci.com Cc: freebsd-audit@freebsd.org Subject: Re: 10 more overflows (minor) In-Reply-To: <84723845.944586353513.JavaMail.chenresig@karma> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Those ones in dump/etc are nasty. :-) So, right now you grab environment information from the binaries, but you could also instrument libc (and others) to report on their use of getenv/etc to some logging mechanism, and then attempt to exploit the ones used. This would help you in situations (that might exist) where the program uses variable string pointers to call getenv. Also, with the fts_ stuff a while, back, that raises the issue of long filenames as a potential source of suffering. Not sure how easy that would be to test, but really suggests a libc test harness (or syscall test harness) that causes unpleasentness for processes running in it. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message