5299665 2000-07-25 21:24 /40 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <11910> Kommentar till text 5296113 av Brevbäraren (som är implementerad i) Python Ärende: Re: Chasing bugs / vulnerabilties ------------------------------------------------------------ From: Kurt Seifried <listuser@SEIFRIED.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <001501bff5d3$a1d293e0$6900030a@seifried.org> Amen. [snipsnip] > Both white box (known source and specifications) and black box (using > documetation for software without knowing the internals) testing should be > carried out - by individuals separate and apart from the coders. > > Try the UNIX Fuzz experiment, first conducted at the University of Wisconsin > on multiple UNIX operating systems and when tried again several years later > revealed only slightly better results (the Fuzz experiment throws garbage > input on the command line into a program and tests the response). We > (check out > http://www.cerias.purdue.edu/coast/ms_penetration_testing/v11.html) tried > the same experiment on WinNT with 'interesting' results. Fuzz for Linux: http://fuzz.sourceforge.net/ Secure programming documentation and software (several links). http://www.securityportal.com/lskb/articles/kben10000082.html ITS4 http://www.rstcorp.com/its4/ SLINT http://www.l0pht.com/products.html#SLINT > Michael S Hines, CISA,CIA,CFE,CDP | Phone 765.494.5338 Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/ (5299665) ------------------------------------------ 5299712 2000-07-25 21:54 /36 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <11912> Ärende: Don't change C conventions; fix programmers instead ------------------------------------------------------------ From: jsl2@JEDITECH.COM To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.GSO.4.10.10007251108230.1343-100000@stargazer.jeditech.com> ... My two cents regarding the discussion of changing the C varargs/stdarg calling convention: it's a waste of time - we should be teaching proper programming techniques instead. 1. There are other languages that provide strict type checking: C++, Java, etc. With the use of C++ iostream, one doesn't need varargs for printf() and friends. "Ease of use" of iostream, etc. is not for debate here - point is there are alternatives. 2. How long do we think it'll take before varargs supplement will take to ratify? For the compiler vendors to implement? and more important, to IMPLEMENT CORRECTLY? Do we want to take a chance this may introduce compiler bugs that could result in security problems? 3. The effort to "fix" varargs will solve ONE class of problems for ONE language. It doesn't fix buffer overflows; it doesn't fix numeric over/underflows; it doesn't remove dangerous chars from URLs (well, in some circumstances maybe it can) IMHO the effort should focused on teaching people how to write defensive programs; how to validate user input; and why the details matter. These topics are just as important as data structures. Needless to say, the proper techniques (and a dose of paranoia) will carry across languages. Don't waste time inventing crutches - time to flog the luser programmers. :=) Regards, -James (5299712) ------------------------------------------(Ombruten) 5303603 2000-07-26 20:43 /112 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <11932> Ärende: Poor man's solution to format bugs ------------------------------------------------------------ From: Mike Frantzen <frantzen@EXPERT.CC.PURDUE.EDU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200007260031.TAA27965@expert.cc.purdue.edu> /* * This is a kludgy example of a source level workaround to the now * infamous format bugs. It should work for newer versions of gcc. Older * versions should work as well but you can use recursive macros. * * It uses a set of variable arguement macros to wrap variable arguement * functions. It counts the number of arguements and passes the count * to a wrapper function. Now it has a count of the passed arguements. * * It should be relatively easy to apply the technique to other vulnerable * functions. Care would have to be taken in multithreaded programs to * use a thread specific data. * Stick the macros into the standard include's and a slight hack to LD_PRELOAD * or libc. Those of us who are not Theo get some semblance of protection ;) * * I'm sure someone with more sleep will improve on the concept. * * See the gcc info pages for an explaination of variable arguement macros. * I'm too tired to explain them. You may want to run 'gcc -E' against it * to see how they expand. * * gcc -v * Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.7/2.95.2/specs * gcc version 2.95.2 19991024 (release) * * Program output: * none * one 1 * two 1 2 * three 1 2 3 * Aiieee. Arguement count mismatch of 1. * Aiieee. Arguement count mismatch of -1. * * * As always, pardon the spelling errors. Bad english is by native language. * See you all at defcon. */ #include <stdio.h> #include <stdio.h> #include <varargs.h> /* Could stick this stuff into an include file */ #define printf mikes_print(&cnt, print0 #define print0(x, args...) x ,print1(## args) #define print1(x, args...) x+(++cnt-cnt) ,print2(## args) #define print2(x, args...) x+(++cnt-cnt) ,print3(## args) #define print3(x, args...) x+(++cnt-cnt) ,print4(## args) #define print4(x, args...) x+(++cnt-cnt) ,print5(## args) #define print5(x, args...) x+(++cnt-cnt) ,print6(## args) #define print6(x, args...) x+(++cnt-cnt) ,print7(## args) #define print7(x, args...) x+(++cnt-cnt) ,print8(## args) #define print8(x, args...) x+(++cnt-cnt) ,print9(## args) #define print9(x, args...) Need_to_make_more_print_statements /* END include stuff */ void mikes_print(int *args, char *format, ...); /* Arguement counter */ int cnt = 0; int main(void) { printf("none\n"); printf("one %d\n", 1); printf("two %d %d\n", 1, 2); printf("three %d %d %d\n", 1, 2, 3); printf("explode %x %n %p\n", 1, 2, 3, 4); printf("explode %d %p %n %d %d\n", 1, 2, 3, 4); return 0; } /* * Simply counts the % tokens in the function. * Bomb out if they don't match *args. */ void mikes_print(int *args, char *format, ...) { va_list ap; char *rptr; for (rptr = format; *rptr; rptr++) if (*rptr == '%') if (*++rptr != '%') (*args)--; if (*args) { fprintf(stderr, "Aiieee. Arguement count mismatch of %d.\n", *args); *args = 0; return; } /* Must turn counter back to 0 */ *args = 0; va_start(ap); vprintf(format, ap); va_end(ap); } (5303603) ------------------------------------------