Secure Coding mailing list archives
Interesting tidbit in iDefense Security Advisory 06.26.07
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 26 Jun 2007 17:23:51 -0400 (EDT)
On Tue, 26 Jun 2007, Kenneth Van Wyk wrote:
Mind you, the overrun can only be exploited when specific characters are used as input to the loop in the code. Thus, I'm inclined to think that this is an interesting example of a bug that would have been extraordinarily difficult to find using black box testing, even fuzzing.
I would assume that "smart" fuzzing could have lots of manipulations of the HH:mm:ss.f format (the intended format mentioned in the advisory), so this might be findable using black box testing, although I don't know how many fuzzers actually know how to muck with time strings. Because the programmer told flawfinder to ignore the strncpy() that it had flagged, it also shows a limitation of manual testing. In CVE anyway, I've seen a number of overflows involving strncpy, and they're not all off-by-one errors. They're hard to enumerate because we don't usually track which function was used, but here are some: CVE-2007-2489 - negative length CVE-2006-4431 - empty input causes crash involving strncpy CVE-2006-0720 - "incorrect" strncpy call CVE-2004-0500 - another bad strncpy CVE-2003-0465 - interesting API interaction - Steve
Current thread:
- Interesting tidbit in iDefense Security Advisory 06.26.07 Kenneth Van Wyk (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Wall, Kevin (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 26)
- The Next Frontier Paco Hope (Jun 27)
- The Next Frontier ljknews (Jun 27)
- The Next Frontier Steven M. Christey (Jun 27)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Leichter, Jerry (Jun 27)