Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: httpd ...

From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Tue, 28 Feb 1995 07:18:20 -0500


Proper and careful use of dynamic string libraries is in any case
better than fixed-size buffers; they solve the security problem
(with overflows) and they do not inhibit functionality, as do
fixed-size buffers.



These are my thoughts also.  Static buffers suck.  I supose there is
always the danger of intrducing more bugs due to the relative
complexity of such a dynamic scheme however.


Of course.  There is also the danger that some bozo will start sending
you near-infinite strings, which will cause your server to grow
effectively without bound, until it finally runs out of VM and tries to
write a many-megabyte core dump.  Great denial-of-service fodder. :-)


[...dynamic string library...]  Anyone have any thoughts, insites, or
experiences?


I'm not sure how close this is, but the FTP daemon on my home box is
written not in C, but in a language with a real string datatype.  It is
somehow very comforting to think that this makes it completely
invulnerable to buffer-overflowing attacks.  (I think it may even be
close to true. :-)  As a pleasant side effect, the way this language's
getpw* primitives work also makes the daemon invulnerable to the
getpwent()-overwriting problem too.  (The one corresponding to the
attack "USER anonymous" / "CWD ~root" / "PASS someone@somewhere".)

On the other hand, it is in my opinion unpleasantly large and slow.
Since I'm not running a major archive site and don't have hundreds of
FTPers beating down the door to get to my stuff, I don't feel this is a
practical problem for me.

Of course, I'm open to some denial-of-service attacks, but who isn't?
The following should do evil things to just about any site running an
FTP server:

        while (1)
         { s = socket(AF_INET,SOCK_STREAM,0);
           to.sin_family = AF_INET;
           to.sin_addr.s_addr = the internet address of the server;
           to.sin_port = htons(21);
           connect(s,&to,sizeof(to));
         }

But big schmeel; change the port number and it will do likewise to any
server that isn't extremely careful about stopping accepting
connections when there are too many copies running.  Even your echo
server, maybe; it might even wedge inetd.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu
Previous By Date Next
Previous By Thread Next

Current thread: