Full Disclosure mailing list archives
Re: Evidence of a ISC being hacked?
From: Valdis.Kletnieks () vt edu
Date: Thu, 24 Jun 2004 13:54:52 -0400
On Thu, 24 Jun 2004 08:27:11 PDT, VX Dude <vxdude2003 () yahoo com> said:
http://www.kb.cert.org/vuls/id/654390 Apparently one of the new DHCP vulnerabilities stems from the following code found in a header file. #define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) Why would any coder replace a more secure function with a less secure function? Personally I don't see any reason except to backdoor the software.
Hmm.. are you perchance new to software development? ;) Quoting one of the advisories: VU#654390 discusses C include files for systems that do not support the bounds checking vsnprintf() function. These files define the bounds checking vsnprintf() to the non-bounds checking vsprintf() function. Since vsprintf() is a function that does not check bounds, the size is discarded, creating the potential for a buffer overflow when client data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. It's easier to just #define the critter than to re-re-invent the C code for vsnprintf() (which isn't always trivial, as your vsnprintf() has to play nice with the vendor's stdio - this can be .. umm... "interesting" if the innards of the vendor stdio are more bizzare than usual... Go ahead - go and re-write a vsnprintf, and compare that to the time it takes to do the #define, and remember that this situation almost certainly came up because some *other* coder had changed a vsprintf() to a vsnprintf() for the obvious security reasons, it built OK on the other coder's test box, they released a -rc release candidate, and the build broke on OTHER systems because there wasn't a vsnprintf() in the vendor libc - and your boss is telling you TO GET THE THING TO BUILD, NOW.... The programmer who is willing to swear on a Bible that they have *never* in their professional careers done something like this because they were in a time crunch is either a newbie or a complete liar.
Attachment:
_bin
Description:
Current thread:
- Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 24)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 24)
- Re: [FD] Evidence of a ISC being hacked? Thomas Binder (Jun 24)
- Re: Evidence of a ISC being hacked? Eric Paynter (Jun 24)
- New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Nick FitzGerald (Jun 24)
- SV: New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: SV: New malware to infect IIS and from there jump to clients Duncan Hill (Jun 25)
- Re: SV: New malware to infect IIS and from there jump to clients Nasir Ghaznavi (Jun 25)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Gary Flynn (Jun 25)