Bugtraq mailing list archives
Re: Tripwire mess..
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 5 Jan 1999 11:43:33 +0100
This may be, or may not be a security issue, however, since alot of people still use tripwire-1.2 or lesser versions(this is what shipped with R.H. Linux 5.2 at least), they might be interested in following detail: Chuck Campbell (campbell () neosoft com) pointed me out that tripwire dies with coredump on R.H. linux, if it hits a filename containing 128-255 characters. Playing a bit with debugger I found out that the problem sits around the line 417: else if (iscntrl(*pcin)) { *pcout++ = '\\'; *pcout++ = *(pccopy = octal_array[(int)(*pcin)]); *pcout++ = *++pccopy; *pcout++ = *++pccopy; } iscntrl here would return 'true' not only for [0-31] arg, but also for [128-255]. It cause two problems here: 1. original octal_array contained only 127 elements, reference would go outside the array with *pcin>127 2. pcin is declared as pointer to char, which caused a negative offset for chars in range above 127. (and which actually caused coredump in this case)
This is a very common code problem; typically, these is* macros take int arguments where the only valid arguments are eitehr -1 .. 255 or 0 .. 255. Many OSes/compilers use signed chars. Almost nobody takes proper care in casting char arguments to is*() to unsigned char. You'll find unpredictable things in much code, I'm sure. Casper
Current thread:
- Lotus Notes SMTP Server bug, (continued)
- Lotus Notes SMTP Server bug Siva Sankar Adiraju (Jan 15)
- Re: Checking for most recent Solaris Security Patches //Stany (Jan 15)
- Re: Anonymous Qmail Denial of Service Perry E. Metzger (Jan 08)
- White Paper Annoucement NSS FIST (Jan 09)
- Re: Anonymous Qmail Denial of Service Snob Art Genre (Jan 10)
- Buffer overflow in www.boutell.com cgic library Jon Ribbens (Jan 10)
- Sekure SDI Advisory: mSQL Remote Bug (fwd) Sekure SDI SSC (Jan 10)
- nmap udp scan kills Neware (ex-HDS) X-terminals. Andrew V. Kovalev (Jan 11)
- Re: nmap udp scan kills Neware (ex-HDS) X-terminals. Adam Shostack (Jan 12)
- Cisco Security Notice: Cisco IOS Syslog Crash security-alert () cisco com (Jan 11)
- Re: Tripwire mess.. Jon Torrez (Jan 05)
- Administrivia Aleph One (Jan 05)
- HTTP REQUEST_METHOD flaw mnemonix (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Marc Slemko (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Kragen Sitaker (Jan 07)
- Re: HTTP REQUEST_METHOD flaw pedward () WEBCOM COM (Jan 06)