Bugtraq mailing list archives

Re: Imagemap CGI overflow exploit

From: john () LOVERSO SOUTHBOROUGH MA US (John LoVerso)
Date: Fri, 22 Oct 1999 13:12:05 -0400

void main(int argc, char **argv)
{
        char      OutString[100];
        // extract x & y from passed values
        strcpy(OutString, argv[1]);

This overflow can be avoided if you put the following code before
strcpy().

if (strlen(argv[1])>99) exit(0);


While a tiny bounds check is usually important, IMHO it is more important to
notice the coding style.  The tiny snippet above tells me that the author of the
original code doesn't have much of a clue.  I don't mean just in regards to
static buffer sizes, but also in regards to effeciency, memory utilization, or
possibly even programming in C.  Why didn't they use "char *outstring =
argv[1];"?  What do they do with Outstring, just pass it to atoi() to extract
x?  Or, perhaps, they even wrote their own version of atoi() with it's own
errors.  This code snippet has "I just learned C" all over it.  I wouldn't be
surprised if the original author didn't make dozens of similar mistakes.

This is damning not only to this particular program, but also reflects on the
quality and care that went into "OmniHTTPd 1.01 and Pro2.04".  I don't know what
those programs are, but if they were commercial packages, this could be a
warning as to the possibility of their own weaknesses.  The willingness of an
author to ship such obviously broken code shows a distinct lack of
professionalism.  It's obvious they don't code review, which probably means they
couldn't have done a security review.

I'm not trying to pick on one program or author, but this is indicative of the
state of software in general.

This leads to one of the (usually) ignored keystones of that which, of late, has
aquired the name "open source software".  Having source doesn't just let you fix
or extend software upon which you depend.  Seeing the source code of a program
can give valuable insight about the quality and skill that went into it's
development.  Shunning code and products from sources of low quality can help
stem the tide of bugs, especially those that result in security vulnerabilities.

John

Current thread:

Imagemap CGI overflow exploit UNYUN (Oct 21)
- Re: Imagemap CGI overflow exploit John LoVerso (Oct 22)
- e/pop vulnerability chaos 255 (Oct 25)
- Re: Imagemap CGI overflow exploit Thomas Reinke (Oct 25)