[CrackMonkey] Another nail in the Pine coffin
Aaron Lehmann
aaronl at vitelus.com
Sat Sep 30 18:53:31 PDT 2000
On Fri, Sep 29, 2000 at 09:26:22AM -0700, Don Marti wrote:
> ----- Forwarded message from Kris Kennaway <kris at FREEBSD.ORG> -----
> It almost killed me to see this:
>
> mollari# find pine4.21 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l
> 4299
>
> Don't use pine - I don't believe it is practical to make it secure. :-(
I can't believe that no one has bothered to point out how fucking
stupid this conclusion is. The three calls grepped for are no
indication of security or lack of it.
Consider the following code:
----- Example -----
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
char buffer[1030];
char *errormsg;
if (argc < 2)
{
errormsg = (char *) malloc (20);
strcpy (errormsg, "must pass one arg\n");
errormsg = (char *) realloc (errormsg, 20+27);
strcat (errormsg, "Not just the program name!\n");
fwrite (errormsg, sizeof(char), strlen(errormsg), stdout);
fflush (stdout);
free (errormsg);
return 1;
}
if (strlen (argv[1]) > 1000) argv[1][1000] = 0;
sprintf (buffer, "First 1000 chars of arg 1: %s\n", argv[1]);
fwrite (buffer, sizeof(char), strlen(buffer), stdout);
fflush (stdout);
return 0;
}
----- End Example -----
Now, the use of these in the above context is also very stupid. But if
you can find a security hole in that code, there are much much bigger
problems than which library calls are used plaguing Pine (i.e. a
broken operating system).
See:
[aaronl at endquote:~]$ ./test `perl -e 'print "A" x 40000;'`
First 1000 chars of arg 1:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
_ _ _
___| |_ _ __ ___ _ __ _ _ ___| |_ _ __ ___ __ _| |_
/ __| __| '__/ __| '_ \| | | | / __| __| '__/ __/ _` | __|
\__ \ |_| | | (__| |_) | |_| |_ \__ \ |_| | | (_| (_| | |_ _
|___/\__|_| \___| .__/ \__, ( ) |___/\__|_| \___\__,_|\__( )
|_| |___/|/ |/
_ _ _ __
__ _ _ __ __| | ___ _ __ _ __(_)_ __ | |_ / _| __ _ _ __ ___
/ _` | '_ \ / _` | / __| '_ \| '__| | '_ \| __| |_ / _` | '__/ _ \
| (_| | | | | (_| | \__ \ |_) | | | | | | | |_| _| | (_| | | | __/
\__,_|_| |_|\__,_| |___/ .__/|_| |_|_| |_|\__|_| \__,_|_| \___|
|_|
_ _ _
_ __ ___ | |_ _ __ ___ ___ ___ ___ ___ __ _ _ __(_) |_ _
| '_ \ / _ \| __| | '_ \ / _ \/ __/ _ \/ __/ __|/ _` | '__| | | | | |
| | | | (_) | |_ | | | | __/ (_| __/\__ \__ \ (_| | | | | | |_| |
|_| |_|\___/ \__| |_| |_|\___|\___\___||___/___/\__,_|_| |_|_|\__, |
|___/
_ _ _
_____ _(_) | |
/ _ \ \ / / | | |
| __/\ V /| | |_|
\___| \_/ |_|_(_)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://frotz.zork.net/pipermail/crackmonkey/attachments/20000930/810adb3e/attachment.pgp
More information about the Crackmonkey
mailing list