Mads Rasmussen <[EMAIL PROTECTED]> said: >I for one have difficulties understanding the "off-by-one" >vulnerability. Maybe a kind soul would step in?
I'll try to tackle this. Corrections or additions are most welcome :) In general, off-by-one bugs involve small errors in which an array of size "N" is accessed using an index of N - but since an index is 0-based in C, the maximum index for the array is N-1. So, N is actually one byte outside the range of the array. I haven't dug deeply into the details, but there are probably a couple variants. When manipulating strings using functions like strcpy, this means that the terminating null byte is written outside of the buffer, in some other memory location that might have security implications if that null is interpreted as a 0. Or, that memory location is overwritten after the null was inserted (say, by a string copy to another variable), so the null character is removed. Then, a function that processes that string will keep accessing memory until it hits a 0 byte. Functions like strncpy can also be vulnerable to off-by-ones. If the input is exactly size N, then strncpy doesn't add a terminating null byte. Any kind of C array can be susceptible to off-by-ones, not just strings. And the use of terminators isn't necessarily required. For example, if a programmer has an array of data structures, its length might be stored in a separate variable, rather than relying on a terminator value to signify the last element of the array. The bug isn't always exploitable for code execution. For example, sensitive data could be leaked from "nearby" memory locations due to a missing null terminator. Some documents that touch on off-by-ones include: Halvar Flake's presentation at Black Hat Europe 2001 on "Third Generation Exploits on NT/Win2k Platforms," which includes buffer overflows, heap/free() and off-by-one errors: http://www.blackhat.com/presentations/bh-europe-01/halvar-flake/bh-europe-01-halvarflake.ppt This includes a nice graphic representation of the problem at the stack level, touching on how portions of return addresses can be overwritten. The following Bugtraq post by Vade 79 gives an alternate description of off-by-ones, along with an example that causes potentially sensitive memory to be read and copied into a string because of the missing terminator. BUGTRAQ:20030727 [PAPER]: Address relay fingerprinting. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105941103709264&w=2 The following Bugtraq post by Jedi/Sector One gives something of a good demonstration if you read between the lines in the code: BUGTRAQ:20020624 Apache mod_ssl off-by-one vulnerability URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102513970919836&w=2 In this example, a buffer is allocated 1024 bytes, and there is a conditional in a loop which tests if i < 1024. However, after that loop exits, index "i" in the array is modified. Olaf Kirch's Bugtraq post "The poisoned NUL byte" seems to be an early report of the security implications of an off-by-one error: BUGTRAQ:19981014 The poisoned NUL byte URL:http://www.securityfocus.com/archive/1/10884 Here are some more source code examples, from Bugtraq posts by Janusz Niewiadomski: BUGTRAQ:20030714 Linux nfs-utils xlog() off-by-one bug URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105820223707191&w=2 BUGTRAQ:20030731 wu-ftpd fb_realpath() off-by-one bug URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105967516807664&w=2 - Steve