Complete.Org: Mailing Lists: Archives: gopher: January 2001:
[gopher] Fwd: Bug#82602: gopherd: [SECURITY] gopherd is dangerous
Home

[gopher] Fwd: Bug#82602: gopherd: [SECURITY] gopherd is dangerous

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: gopher@xxxxxxxxxxxx
Subject: [gopher] Fwd: Bug#82602: gopherd: [SECURITY] gopherd is dangerous
From: Aaron Lehmann <aaronl@xxxxxxxxxxx>
Date: Tue, 16 Jan 2001 23:10:04 -0800
Reply-to: gopher@xxxxxxxxxxxx

----- Forwarded message from aaronl@xxxxxxxxxxx -----

From: aaronl@xxxxxxxxxxx
Date: Tue, 16 Jan 2001 22:57:23 -0800
To: submit@xxxxxxxxxxxxxxx
Subject: Bug#82602: gopherd: [SECURITY] gopherd is dangerous
X-Mailer: bug 3.3.7

Package: gopherd
Version: 2.3.1-8
Severity: grave


First off:

$ egrep -r '(sprintf|strcpy|strcat)' * | wc -l
    539

*shudder*


Here are a few particular cases of fixed-size buffers that I think may
currently be security risks:

     char buf[256];
...
      if (dochroot)
           sprintf(buf, "%s '%s'", decoder, pathname);
      else
           sprintf(buf, "%s '%s/%s'", decoder, Data_Dir, pathname);

As far as I can tell, neither decoder nor pathname is regulated in
size at all.

Here's another favorite:
     char         longname[256];
...
           sprintf( longname, "%s  [%s%s%s, %ukb]", stitle,
              cdate+8,cdate+4,cdate+22, (statbuf.st_size+1023) / 1024);

Even if the length of stitle was regulated (which I doubt), it would
most likely be regulated to 256 bytes, which would be just as
disasterous.

Oh, and you had better hope that the path to your Data_Dir is < 256 chars:
     char tmpstr[256];
...
            strcpy(tmpstr, Data_Dir);

Data_Dir is _not_ regulated in size:
      Data_Dir = strdup(argv[optind]);
...
      Data_Dir = strdup(DATA_DIRECTORY);

How about this:

     if ((titlep = strcasestr(buf, "<TITLE>")) != NULL) {
      char *endtitle;
      char titletemp[256];

      titlep += 7;
      if ((endtitle = strcasestr(titlep, "</TITLE>")) != NULL) {
           strncpy(titletemp, titlep, (endtitle-titlep));
           titletemp[endtitle-titlep] = '\0';

So, list a directory containing a .html document with a title > 256
chars and you're likely to smash the stack.

I could go on and on. My reccomendation to the gopherd maintainer is
to throw out all of this code and write a more modern, secure
implentation from scratch. This is the worst C code I have ever read.


--  
To UNSUBSCRIBE, email to debian-bugs-dist-request@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx



----- End forwarded message -----

-- Attached file included as plaintext by Listar --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6ZUVMdtqQf66JWJkRAkfcAKC+DYo7IlV/uMhb9TiNFMehmoqDhQCfWdSG
D5NRK+qja4sbChxnEeh4m10=
=+VYC
-----END PGP SIGNATURE-----




[Prev in Thread] Current Thread [Next in Thread]