(feh, messed this up once.
and somehow i don't actually own this community? so i made it friends-only and now i can't get the post back?)
Spot the security hole (from
conjecture):
and somehow i don't actually own this community? so i made it friends-only and now i can't get the post back?)
Spot the security hole (from
conjecture):struct header {
int cmd, id, len;
};
[...]
struct header hdr;
char buf[1024], ubuf[1024];
if(read(sock, &hdr, sizeof(hdr)) != sizeof(hdr))
exit(-1);
if(hdr.len < sizeof(hdr) || hdr.len > 1024)
exit(-1);
read(sock, buf, hdr.len);
buf[1023] = 0;
snprintf(ubuf, sizeof(ubuf), "command was %s", buf);
I still have yet to spot a real security vulnerability, though.
The only way it would be a problem is if you had previously left "interesting" stuff in-memory before free'ing a buffer. (char *passwd = malloc(512); get_passwd_from_user(passwd); use_passwd(passwd); free(passwd);)
Yeah, that looks wonky, but there are no vulnerabilities there ... I don't understand why they bother to check for less than the header size if the header is not included in the second read. Unless, of course, they were trying to simply avoid small values.
From Rationale for American National Standard for Information Systems - Programming Language - C:
Enyhoo, this leads to much buffer-overflowing nastiness when you try to read an ungodly large number of bytes (which is accomplished by putting any old negative value in hdr.len), especially when you consider that the buffer is on the stack for some godforsaken reason, and not malloc'ed as all good buffers should be. So, running on just about any big-endian platform (i.e. x86), you can overwrite the return address (also stored on the stack), and jump to an arbitrary location in code -- such as inside the long string you've just used to overwrite the return address. Net effect: the malicious user can run any code he/she damn well pleases, at the security level of the process doing the reading.
Of course, this can all be fixed by making the header struct use an unsigned int (size_t would be preferable) instead of a normal int for the len field.
these sorts of bugs are all the rage these days among "hackers".
Automatic, uncasted integer promotion must die. It would make life a lot easier for us security folks.
True dat.
Here's the scarier thing I've been considering: malicious developer (and this is less likely to happen in a volunteer open-source project) wants to insert a special backdoor in software. Intentionally programming errors like this would be the way to go, I think, since it looks like a simple logic error. It's reminiscent of the kernel.org backdoor attempt several weeks ago:
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
Though this is a bit more obvious.
Better yet: stealing from the esteemed Ken Thompson's Trusting Trust paper, why not backdoor a gcc binary on some distro's ftp server to automatically compile bugs or backdoors into all programs?
Agh it makes the head spin.
but it doesn't bother me too much because i don't think trusting the binaries is much worse than trusting the source distributed by (for example) gentoo. (see also: when gnu discovered their hack, and how you still can't download anything from them.)
i always say to people with pride: i am confident that my home machine is perfectly secure. why? i don't have a network connection. (sure, there are local hacks, but if you're going to break in my house you may as well just carry the box off...)