| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Evidence of a ISC being hacked? On Thu, 24 Jun 2004 08:27:11 PDT, VX Dude <vxdude2003@...oo.com> said: > http://www.kb.cert.org/vuls/id/654390 > > Apparently one of the new DHCP vulnerabilities stems > from the following code found in a header file. > > #define vsnprintf(buf, size, fmt, list) vsprintf (buf, > fmt, list) > > Why would any coder replace a more secure function > with a less secure function? Personally I don't see > any reason except to backdoor the software. Hmm.. are you perchance new to software development? ;) Quoting one of the advisories: VU#654390 discusses C include files for systems that do not support the bounds checking vsnprintf() function. These files define the bounds checking vsnprintf() to the non-bounds checking vsprintf() function. Since vsprintf() is a function that does not check bounds, the size is discarded, creating the potential for a buffer overflow when client data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. It's easier to just #define the critter than to re-re-invent the C code for vsnprintf() (which isn't always trivial, as your vsnprintf() has to play nice with the vendor's stdio - this can be .. umm... "interesting" if the innards of the vendor stdio are more bizzare than usual... Go ahead - go and re-write a vsnprintf, and compare that to the time it takes to do the #define, and remember that this situation almost certainly came up because some *other* coder had changed a vsprintf() to a vsnprintf() for the obvious security reasons, it built OK on the other coder's test box, they released a -rc release candidate, and the build broke on OTHER systems because there wasn't a vsnprintf() in the vendor libc - and your boss is telling you TO GET THE THING TO BUILD, NOW.... The programmer who is willing to swear on a Bible that they have *never* in their professional careers done something like this because they were in a time crunch is either a newbie or a complete liar. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040624/59e7ebe2/attachment.bin
Powered by blists - more mailing lists