Date: Wed, 22 Jul 1998 02:03:50 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: proff@iq.org Cc: drosih@rpi.edu, hart@iserver.com, brett@lariat.org, security@FreeBSD.ORG Subject: Re: f-greping across the universe Message-ID: <Pine.BSF.3.96.980722010215.13030A-100000@aniwa.sky> In-Reply-To: <19980721082257.3945.qmail@iq.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Jul 1998 proff@iq.org wrote: > Date: Tue, 21 Jul 1998 18:22:57 +1000 (EST) > From: proff@iq.org > To: andrew@squiz.co.nz > Cc: drosih@rpi.edu, hart@iserver.com, brett@lariat.org, > security@FreeBSD.ORG > Subject: Re: f-greping across the universe > > > -- cut -- > > #!/bin/sh > > for i in `ls /bin/* /usr/bin/* /usr/local/bin/*` > > do > > strings $i | grep vsprintf | sed -e "s|^|$i: |" > > done > > > > -- cut -- > > > > Yikes. > > You can't just leak OpenBSD trade secrets like that. You > must understand the grueling hours Theo & friends spent > creating their meister work. > > Cheers, > Julian. I hope you're not serious. I understand the gruelling bit all to well, but which library routines you use is about as secret as the above shell code suggests, and even if one didn't realize you could search the binaries, the source is available for most of that also. The number of uses of vsprintf that the above shell code turns up does seem to underline the need to deal with the problem. It's not just novice programmers who make mistakes. Certainly the problem is not OS specific. Another semi-solution to throw into the mix: It's beyond my capabilities (or at least well outside my current expertise), but given an executable which is built with gcc (or something else, but I imagine this would be compiler specific), is it possible in general to reverse engineer it, so that calls to vsprintf and other routines are replaced by one which identifies how much space is available in the appropriate stackframe, and rewrite the executable code in memory so that the call to the unsafe routine is replaced with a version which is at least bounded to the dataspace allocated to that routine. How much does this help anyway. Can one effect a buffer overflow by overwriting data pointers in a user's data space? I haven't written C for an Intel machine since the 286, but I gather more recent CPU's help to maintain a division between code and data? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980722010215.13030A-100000>