Bugtraq mailing list archives
Re: Some more MySql security issues
From: Konrad Rieck <kr () R0Q CX>
Date: Mon, 12 Feb 2001 22:19:20 +0100
On Mon, Feb 12, 2001 at 02:34:43PM -0600, Tim Yardley wrote:
This is a nice example of bad code, but not a security issue, I could show up a 100 of programs that simply don't care for *argv parameters. You don't gain anything by exploiting such overflows in non-suid programs.watch what you say there. there have been hundreds of programs that have been exploited via argv params. a bof is a bof.. regardless of where it is. also, just because you don't gain anything doesnt mean that the problem shouldnt be documented and fixed.
A bof is a bof. You are completely right, but as I said and I still believe so, most buffer overflows are just bad coding practice. Don't get confused by all that hype, there are far more applications with buffer overflows in argv that are definitely not security relevant than security relevant ones.
lastly, you stated that nothing is gained by overflowing non-suid programs. that statement is obviously innaccurate. if you gain ANY uid/gid (etc etc) that is not in your currrent list, you are changing your privledges on the system. whether or not it is a ROOT compromise is a whole different matter.
Maybe I was expressing a little bit too sloppy, buf if I consider applications that are non-suid (so no set-uid occurs), e.g. the mysql command, there is nothing special about overflows in the *argv parameters, it's just bad code. This is special to those command line parameters since they are only given by the user who is executing the program. I am not talking about general problems with buffer overflow or any other technique that might allow overwriting the stack, but in this case the user who is sending the content to the stack, is the one that can execute it - privileges are not changed. Maybe you can explain, how I will change my privileges on a system, when executing exactly such overflows, I can't see it. Regards, Konrad -- Konrad Rieck <kr () r0q cx> Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub -- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
Current thread:
- Some more MySql security issues Joao Gouveia (Feb 10)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Joao Gouveia (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Peter van Dijk (Feb 12)
- Re: Some more MySql security issues Carsten H. Pedersen (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Theodor Milkov (Feb 12)
- <Possible follow-ups>
- Re: Some more MySql security issues Hector A.Paterno (Feb 13)