Re: [Full-Disclosure] Execution Flow Control (EFC)

From: Jon Hart (warchild_at_spoofed.org)
Date: 08/16/03

Next message: Stephen Clowater: "Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]"

Previous message: Geoff Shively: "Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]"
In reply to: Shanphen Dawa: "[Full-Disclosure] Execution Flow Control (EFC)"
Next in thread: Jarlin: "Re: [Full-Disclosure] Execution Flow Control (EFC)"
Reply: Jarlin: "Re: [Full-Disclosure] Execution Flow Control (EFC)"
Reply: Jimb Esser: "Re: [Full-Disclosure] Execution Flow Control (EFC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Shanphen Dawa <list@hardlined.com>
Date: Sat, 16 Aug 2003 16:01:35 -0400

On Sat, Aug 16, 2003 at 07:13:50AM -0500, Shanphen Dawa wrote:
> This was posted to bugtraq.
>
> http://www.securityfocus.com/archive/1/333451/2003-08-13/2003-08-19/0
>
> The author of the software claims any machine running this
> Execution Flow Control (EFC) program is 100%. I think 100% is a tad
> bit arrogant, and I can't wait till he has to eat his words. The
> website is a tad under the professional type websites I would take
> seriously, but I thought this might spark a good discussion, and get
> us off that bl*st*r w*rm.
>
> http://203.197.88.14/
> http://203.197.88.14/efc

This line from http://203.197.88.14/efc/efc_intro.php really caught my
eye:

PROS AND CONS OF EFC.

1. Can protect against known or unknown vulnerabilities.

Ok, with that in mind, lets see how well it stands up to "unknown"
attacks...

I'm not one to judge product quality based (partially or otherwise) on
past or current programming mistakes, but if I was, I'd say that
something like:

for(i=0;arg[i]; i++) {
        if ((strncmp(arg[i], "/etc/shadow",11) == 0) ||
                (strncmp(arg[i], "shadow",6) == 0)) {
                        write(1,"arg cannot be shadow\n", 21);
                        return 0;
        }
}

is a pretty poor way of making sure people don't play with your shadow
file. There are many possibilities here, but the bottom line is that
the webserver had a poorly written CGI application and EFC didn't seem
to do much in the way of stopping someone from exploiting it and
stealing the shadow file.

fwiw,

-jon
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Stephen Clowater: "Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]"

Previous message: Geoff Shively: "Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]"
In reply to: Shanphen Dawa: "[Full-Disclosure] Execution Flow Control (EFC)"
Next in thread: Jarlin: "Re: [Full-Disclosure] Execution Flow Control (EFC)"
Reply: Jarlin: "Re: [Full-Disclosure] Execution Flow Control (EFC)"
Reply: Jimb Esser: "Re: [Full-Disclosure] Execution Flow Control (EFC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]