OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: BitchX /ignore bug
From: Joe User (phorlakhATRALAKH.DARKTECH.ORG)
Date: Thu Jul 06 2000 - 21:21:11 CDT

Just think of it this way: someone that's got a natural knack for programming
hops down to a bookstore and picks up "Learn C in 21 Days" and flips through
it for about 10, and has everything down pat. Ok, no problem, except for the
fact that the books you pick up register unsafe gets(), scanf(), strcpy(), etc.
Then, after a short time of writing small projects this way, they find out about
security: checking buffers, making certain that nothing can get out of bounds,
etc...they pick up on this information, but too late. They've already learned
the unsafe way of doing things, and old habits die hard. This, unfortunately,
is what happens oftentimes; I figured it out when I wrote one program and
couldn't figure out why a scanf() would overwrite the EIP and cause a segfault.
It took me about 4 days to find the info online in an article [I believe it was
on SunWorld] that you should never use scanf() at all. Many of the big-shot
programmers out there that contribute or even write programs that are now in
everyday use have never been to a school to learn to program, they just started
by doing. It's shameful that the material they learned from had no notion of
secure programming, but unfortunately that's the way it is :(

>
> It's amazing how some code gets written. I'm glad that I was
> "raised" in a security-conscious environment. I used to take it for
> granted that coders always check for every possible weak point in their
> code that they knew of, now I'm not so naive. How often does this happen? I
> doubt it's laziness, or even ignorance -- some of these issues are pretty
> obscure. Is it the teachers' fault, can anyone be blamed? More
> importantly, is there anything (short of Java, or any change in language)
> that can be done about it?
> Imagine how little we would know if this were
> closed source. *Someone* would notice a segmentation violation sometime,
> fire up a debugger, produce an exploit, and finally an advisory would be
> written. We wouldn't really know a thing. Who knows how long these things
> would go unpatched for?
>
> On Thu, 06 Jul 2000, Keith Simonsen wrote:
> > Hi,
> >
> > Those are front slashes, but backslashes work:
> >
> > Channel #\xff\xff\xff/bin/sh was created at Thu Jul 6 14:56:29 2000
> >
> > In the ircd_defs.h file included with efnet ircd source the max channel
> > length is 200 bytes (#define CHANNELLEN 200)
> >
> > hmm I also noticed the ban length is 1024... thats a lot of room, and is
> > passed to the client when joining a channel. I also tried setting bans
> > with %s and other formatting characters, it works...
> >
> > Anyone want to check the BitchX code for how it parses bans when the
> > client joins the channel?
> --
> Shop smart, shop S-Mart!
> - Ash
>