On Mon, Feb 12, 2001 at 02:34:43PM -0600, Tim Yardley wrote:
> >This is a nice example of bad code, but not a security issue, I could
> >show up a 100 of programs that simply don't care for *argv parameters.
> >You don't gain anything by exploiting such overflows in non-suid programs.
>
> watch what you say there. there have been hundreds of programs that have
> been exploited via argv params. a bof is a bof.. regardless of where it
> is. also, just because you don't gain anything doesnt mean that the
> problem shouldnt be documented and fixed.
A bof is a bof. You are completely right, but as I said and I still believe
so, most buffer overflows are just bad coding practice. Don't get confused
by all that hype, there are far more applications with buffer overflows
in argv that are definitely not security relevant than security relevant
ones.
> lastly, you stated that nothing
> is gained by overflowing non-suid programs. that statement is obviously
> innaccurate. if you gain ANY uid/gid (etc etc) that is not in your
> currrent list, you are changing your privledges on the system. whether or
> not it is a ROOT compromise is a whole different matter.
Maybe I was expressing a little bit too sloppy, buf if I consider
applications that are non-suid (so no set-uid occurs), e.g. the mysql
command, there is nothing special about overflows in the
*argv parameters, it's just bad code. This is special to those command
line parameters since they are only given by the user who is executing
the program.
I am not talking about general problems with buffer overflow or any other
technique that might allow overwriting the stack, but in this case the user
who is sending the content to the stack, is the one that can execute it -
privileges are not changed.
Maybe you can explain, how I will change my privileges on a system, when
executing exactly such overflows, I can't see it.
Regards,
Konrad
--
Konrad Rieck <[EMAIL PROTECTED]>
Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub
-- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
