Vulnerability Development mailing list archives

Re: stackguard-like embedded protection

From: typo () INFERNO TUSCULUM EDU
Date: Thu, 7 Sep 2000 21:49:19 +0200

On Thu, Sep 07, 2000 at 09:48:37AM +0200, Bluefish (P.Magnusson) wrote:

Which recieves Bluefish's official price for stuff really anoying
'feature'... So I really would like to see a grepprintf script to combat
these evil \n in sources :)


this one was mentioned on bugtraq a while ago:
http://www.striker.ottawa.on.ca/~aland/pscan/
              PScan: A limited problem scanner for C source files

also there is my egcs patch to automatically scan for format style bugs
while compiling: http://inferno.tusculum.edu/~typo/tesogcc.tgz
(also mentioned on bugtraq).

Regarding the flames to my mail (removing %n from the glibc):

i was a bit annoyed by people presenting very simple/basic solutions
as 'research' just because they have a degree,
and Im always impressed by the impact the name you give something has on
its acceptance.. nontheless i apologize for my initial flame.



I agree that the "solution"(?) i presented is far from being perfect,
as programs may and will break. But deep inside me i feel
that i prefer programs to syslog() and then _exit(-1) when they use
a dangerous but not neccesary feature instead of giving attackers
access to my system.

IMHO Things should break when they're broken by design.. luckily this design
flaw (using %n) can easily be worked around at the sourcecode level.

Regarding those people that have asked me wether i have removed/replaced %s
too, im not sure if this question was a serious one or just ironical
to show me the stupidity of breaking standards.

In either case the answer is that I have a lot less fear of people reading
the memory contents of my (e.g.) httpd, than of them being able to modify
memory and thus, possibly, arbitarily altering execution flow.

Are there nonpassive(!memory peeking) vulnerabilities related to vfprintf()
that i've not heard about yet? If so i'd be very interested in reading more
about them.

Regards,
    typo



PS: despite the .edu, english isn't my native tongue.. please don't flame
me (again) for my writing style.

Current thread:

Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 08)
  - Re: stackguard-like embedded protection antirez (Sep 08)
    - Message not available
    - Re: stackguard-like embedded protection antirez (Sep 12)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
    - Re: stackguard-like embedded protection antirez (Sep 12)
    - Re: stackguard-like embedded protection antirez (Sep 12)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection Michael Wojcik (Sep 06)
  - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 07)
    - Re: stackguard-like embedded protection typo (Sep 07)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 12)
  - Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 13)
  - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
  - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)
    - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 16)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 16)

(Thread continues...)