Date: Mon, 20 Jul 1998 09:35:34 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: Brett Glass <brett@lariat.org> Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, dg@root.com, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <Pine.BSI.3.96.980720090640.6101B-100000@anchovy.orem.iserver.com> In-Reply-To: <199807200140.TAA06705@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 19 Jul 1998, Brett Glass wrote: > It'll only get worse, especially so long as we use C; the language is > so prone to array overruns and buffer overflow exploits. The language only does what it is told, how can it be held responsible? C is not prone to exploitation, C programmers are. And they're still making the same tired mistakes over and over. > I don't think anyone should feel antagonized when I emphasize the > importance of fixing this problem -- especially after the extensive > personal cost it has had, and will have, for me. Brett, this type of exploit has been around for many years (one element of the original Internet worm was based on a buffer overflow in fingerd). And each time someone gets hacked they have the same grandiose visions for building elaborate kludges to make sure they're never hacked again. But, alas, these visions are only Band-Aid solutions. The real problem is flawed application code. Instead of dreaming up fancy kernel kludges, let's direct our efforts toward auditing code, thus attacking the problem at the root. I don't want to seem callous to your plight because I know how you must feel, but does not the old adage "once bitten, twice shy" apply to your situation? You were hacked. Now you know better. Can we assume that this will not happen again? BTW, you aren't running imapd are you? A new hole, just as evil as the popper hole, was recently revealed in that. See the Bugtraq archives at http://www.netspace.org. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.96.980720090640.6101B-100000>