Re: Imagemap CGI overflow exploit

From: John LoVerso (johnat_private)
Date: Fri Oct 22 1999 - 10:12:05 PDT

Next message: Gregory A Lundberg: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"

Previous message: Aleph One: "Microsoft Security Bulletin (MS99-046)"
Maybe in reply to: UNYUN: "Imagemap CGI overflow exploit"
Next in thread: Thomas Reinke: "Re: Imagemap CGI overflow exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> void main(int argc, char **argv)
> {
>         char      OutString[100];
>         // extract x & y from passed values
>         strcpy(OutString, argv[1]);
>
> This overflow can be avoided if you put the following code before
> strcpy().
>
> if (strlen(argv[1])>99) exit(0);

While a tiny bounds check is usually important, IMHO it is more important to
notice the coding style.  The tiny snippet above tells me that the author of the
original code doesn't have much of a clue.  I don't mean just in regards to
static buffer sizes, but also in regards to effeciency, memory utilization, or
possibly even programming in C.  Why didn't they use "char *outstring =
argv[1];"?  What do they do with Outstring, just pass it to atoi() to extract
x?  Or, perhaps, they even wrote their own version of atoi() with it's own
errors.  This code snippet has "I just learned C" all over it.  I wouldn't be
surprised if the original author didn't make dozens of similar mistakes.

This is damning not only to this particular program, but also reflects on the
quality and care that went into "OmniHTTPd 1.01 and Pro2.04".  I don't know what
those programs are, but if they were commercial packages, this could be a
warning as to the possibility of their own weaknesses.  The willingness of an
author to ship such obviously broken code shows a distinct lack of
professionalism.  It's obvious they don't code review, which probably means they
couldn't have done a security review.

I'm not trying to pick on one program or author, but this is indicative of the
state of software in general.

This leads to one of the (usually) ignored keystones of that which, of late, has
aquired the name "open source software".  Having source doesn't just let you fix
or extend software upon which you depend.  Seeing the source code of a program
can give valuable insight about the quality and skill that went into it's
development.  Shunning code and products from sources of low quality can help
stem the tide of bugs, especially those that result in security vulnerabilities.

John

Next message: Gregory A Lundberg: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Previous message: Aleph One: "Microsoft Security Bulletin (MS99-046)"
Maybe in reply to: UNYUN: "Imagemap CGI overflow exploit"
Next in thread: Thomas Reinke: "Re: Imagemap CGI overflow exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:34 PDT