Firewall Wizards mailing list archives
Gauntlet: source code anyone ?
From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 18 Mar 1999 08:50:07 +1100 (EST)
There has been much discussion about "must have source code" by people who populate these lists for security products, however, in line with comments brought up before, there is apparently little benefit for the vendor or customer (except that the customer has the ability to introduce their own bugs ;). Why do I say that ? Well, recently I was in a position to have the time to do a quick review of Gauntlet source code. Just for laughs, I tried something stupid like "grep sprintf */*.c". The scary part is that the output was rather lengthy. Upon having a closer look at one file (x-gw.c), it became quickly apparent that fixed buffer sizes (some of which were too small) were littered through the code and whilst single buffers could be overflowed, by some stroke of luck it doesn't appear easy to exploit. To make it even worse, this was 4.1, not some early rev. If you use Gauntlet and have the time, setup a host with a full length domain name (256 characters) and try accessing each of the Gauntlet services using it... Getting back to the larger issue, this indicates a few of things to me: 1. you can't trust firewall vendors to write good, secure, code; 2. vendors don't appear to do a lot of testing, particularly of boundary cases (just like all good s/w engineers should); 3. vendors don't appear to have a very good quality control; 4. those who buy commercial firewall products aren't interested in doing a code review of their vendor. Of course these are generalised points given one experience, but one would have though that of any firewall, Gauntlet would have been the most correct... Just before I finish, has anyone ever submitted a patch to TIS/NAI for Gauntlet to fix security holes ? Do they reject them or simply sit on them ? Darren
Current thread:
- Gauntlet: source code anyone ? Darren Reed (Mar 18)
- Re: Gauntlet: source code anyone ? Joseph S D Yao (Mar 19)
- Re: Gauntlet: source code anyone ? Adam Shostack (Mar 19)
- Re: Gauntlet: source code anyone ? Marcus J. Ranum (Mar 19)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Marcus J. Ranum (Mar 21)
- Re: Gauntlet: source code anyone ? Craig H. Rowland (Mar 22)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Mark E. Smith (Mar 23)
- Re: Gauntlet: source code anyone ? Joseph S D Yao (Mar 23)
- Re: Gauntlet: source code anyone ? David Lang (Mar 23)
- Re: Gauntlet: source code anyone ? Steve George (Mar 21)