NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-06

Subject: Re: ftpd: the advisory version
From: Sebastian (scutNB.IN-BERLIN.DE)
Date: Thu Jun 29 2000 - 14:02:09 CDT

Next message: Jim Knoble: "Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)"
Previous message: Elias Levy: "(forw) Re: Netscape ftp Server (fwd)"
In reply to: Kasatenko Ivan Alex.: "Re: ftpd: the advisory version"
Next in thread: Barney Wolff: "Re: ftpd: the advisory version"
Next in thread: Kragen Sitaker: "Re: ftpd: the advisory version"
Reply: Sebastian: "Re: ftpd: the advisory version"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Hello!

Hi.

> > So this is still unsafe:

> > void
> > func_weak (char *domain)
> > {
> > unsigned char buff[2000];
> > size_t len = domain[0];
> >
> > strncpy (&buff[0], &domain[1], len);
> > buff[1999] = '\x00';
> > }
> >

> It *is* safe, as far as the char type is concerned.
> And len cannot fall below zero and cannot grow above
> 255. (0 <= char <= 255, on most platforms)
> The size of buff is much more than 255. So this code
> is safe, in my opinion.

Welcome in the thinking of programmers who fall for this type of bugs. It's
not a shame, it's easy to oversee, but yes, it is UNSAFE.

Example:
---[footest.c]---

#include <stdio.h>
#include <string.h>

int
main (int argc, char *argv[])
{
        int i;
        size_t len;
        char source[300];
        char buff[300];
        char foo = '\x80';

        for (i = 0 ; i < sizeof (source) ; ++i)
                source[i] = '-';
        source[sizeof (source) - 1] = '\x00';

        len = foo;
        strncpy (buff, source, len);
        for (i = 0 ; buff[i] == '-' ; ++i)
                ;

printf ("%d\n", i);
}
---[end]---

gives:
Breakpoint 2, main (argc=1, argv=0xbffffd24) at footest.c:20
20 len = foo;
(gdb) n
21 strncpy (buff, source, len);
(gdb) display len
1: len = 4294967168
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x40054949 in strncpy ()
(gdb)

For an unknown reason to me the strncpy segfaults for such a long len
parameter, although the source buffer is terminated, but it demonstrates
that very well len can reach huge values.

> The problem may reveal itself only on computers where
> char type is signed by default.

Which it is on all platforms I know. The compiler assumes that all simple
C types are signed except if explicitly given a type modifier such as
unsigned.

> *wave*,
> John <skywriterrnc.ru>

ciao,
scut

--
- scutnb.in-berlin.de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -

Next message: Jim Knoble: "Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)"
Previous message: Elias Levy: "(forw) Re: Netscape ftp Server (fwd)"
In reply to: Kasatenko Ivan Alex.: "Re: ftpd: the advisory version"
Next in thread: Barney Wolff: "Re: ftpd: the advisory version"
Next in thread: Kragen Sitaker: "Re: ftpd: the advisory version"
Reply: Sebastian: "Re: ftpd: the advisory version"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]