Re: Administrivia: List Announcement

• Previous message: xenophi1e: "Re: MSIE integer overflows"
• Maybe in reply to: Dave McKinney: "Administrivia: List Announcement"
• Next in thread: Shafik Yaghmour: "Re: Administrivia: List Announcement"
• Reply: Shafik Yaghmour: "Re: Administrivia: List Announcement"
• Reply: Gustavo Scotti: "RE: Administrivia: List Announcement"
• Reply: Eric Haugh: "Re: Administrivia: List Announcement"
• Reply: Nexus: "Re: Administrivia: List Announcement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 13 May 2003 17:06:32 -0000
To: vuln-dev@securityfocus.com

This is a very good idea. This mailinglist is a good resource, but it
could be a little more 'fun'...

I'll take a whack.

>
>We'll kick this off with the first challenge, which was devised by Aaron
>Adams:
>
> strncpy(buf2, p2, SIZE);

Off-by-one. Third arg should be SIZE-1 to leave room for the terminating
NULL. This error should lead to a heap based vulnerability when the
memory is free()d.

> for (i = 0; i <= SIZE && p1[i] != '\0'; i++)

Condition should be < SIZE. <= SIZE leads to the same vuln as above. This
is also a shabby way to copy a string on architectures with a bigger word
size than 8bits. The number of ops can be reduced by copying through a
32bit register and then using 8bits for the remaining < 4 bytes.

Cheers,
~ol

• Previous message: xenophi1e: "Re: MSIE integer overflows"
• Maybe in reply to: Dave McKinney: "Administrivia: List Announcement"
• Next in thread: Shafik Yaghmour: "Re: Administrivia: List Announcement"
• Reply: Shafik Yaghmour: "Re: Administrivia: List Announcement"
• Reply: Gustavo Scotti: "RE: Administrivia: List Announcement"
• Reply: Eric Haugh: "Re: Administrivia: List Announcement"
• Reply: Nexus: "Re: Administrivia: List Announcement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Vulnerability Auditing Checklist ... illustrations to each vulnerability listed. ... The checklist is still incomplete, but maybe some people will find it ... Improper handler deployment ... Ownership of critical resource not verified ... (SecProg) [NEWS] %u Encoding IDS Bypass Vulnerability (UTF) ... %u Encoding IDS Bypass Vulnerability (UTF) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability has been found in the way many Intrusion ... (Securiteam) %u encoding IDS bypass vulnerability ... %u encoding IDS bypass vulnerability ... Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor ... (NT-Bugtraq) %u encoding IDS bypass vulnerability ... %u encoding IDS bypass vulnerability ... Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor ... (Focus-Microsoft) %u encoding IDS bypass vulnerability ... %u encoding IDS bypass vulnerability ... Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor ... (Focus-IDS)