Re: Possible buffer overflows = security problem?
On Fri, Sep 05, 2003 at 04:47:30PM +0200, Frank Lichtenheld wrote:
> several code pieces like
>
> char path[256];
> sprintf( path, "some string/%s", packagename);
>
> Is such code (away from the fact that it can easily lead to segfaults) a
> security problem?
Yep, it's a potential security problem.
Several people have said it's an issue if strlen(packagename) > 256.
Actually, it's a possible problem if strlen(packagename) > 243. It's
really picky of me to point this out, but that's the whole goal of doing
this sort of thing: be insanely picky and paranoid.
There are 2 qestions to ask:
1) Can it possibly be exploited? In this case, the answer is "yes,
if we don't know the size of 'packagename'". Since 'packagename'
comes from a file external to this program, then we should be paranoid
enough to assume that someone will craft a special file that contains a
packagename that is really long, and is designed to "stack smash" your
program, causing the program to do what the attacker wants it to do.
2) What damage can it do if it's exploited? In this case, I don't know
the answer. If the program is SUID or SGID, then this program could
be exploited to allow someone to run programs with another UID or GID.
This is generally a bad thing, since the UID or GID often have great
powers (i.e. root). On the other hand, if it's not SUID or SGID, there
is a still a problem if it's possible to get root to run the program
with the specially crafted input. In this case, the program becomes a
trojan horse, because root thinks they are doing something safe but in
fact the exploit causes the program to do something else. Since this
program does package management stuff, it's quite likely that root will
run it.
The safest approach is always to ensure that the answer to the first
question is "no", so you don't need to worry about the second one.
--- Wade
Reply to: