Re: Writing a SECURE daemon
From: Volker Birk (bumens_at_dingens.org)
Date: 11/06/03
- Next message: Tim Wilkinson: "Re: iptables, static nats to multiple DMZ based servers"
- Previous message: Jem Berkes: "Re: Writing a SECURE daemon"
- In reply to: Mario L. Mueller: "Writing a SECURE daemon"
- Next in thread: Mario L. Mueller: "Re: Writing a SECURE daemon"
- Reply: Mario L. Mueller: "Re: Writing a SECURE daemon"
- Reply: Ilari Liusvaara: "Re: Writing a SECURE daemon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Nov 2003 09:04:21 +0100
Mario L. Mueller <mario@goopers.com> wrote:
> I would like to know what precautions I should take to prevent this
> daemon from being hacked. I know people have found ways to hack into
> httpd, bind, wu-ftpd.. Where did these authors go wrong?
Most of those attacks were buffer overflow attacks on unchecked
boundaries of buffers on the stack. So don't have unchecked boundaries
with your buffers, don't use strcpy, strcat, etc. Do use strncpy,
strncat etc. instead of them. Perhaps have all of your buffers on the
heap, not in stack space. Validate all input before processing it.
Short: think about constraints with buffers.
Do not run your service as UID 0 if that is possible. If that is a
must, split your service into code which runs with UID 0 and code
which does not need that. Especially the code which runs with UID 0
you should examine for correctness.
> First thing I did was suid to a non-root user immediately after the
> service is started. But now I would like to learn more about the
> security exploits through "unchecked buffers". What exactly does that
> mean?
For example: you're service reads a line with a command from a
socket using get_next_line(). With foo() you're working on that
command. Then, in a very simple sample:
int foo() {
char cmd[42]; // 40 chars is a line on Apple ][
char *the_line;
the_line = get_next_line();
strncpy(cmd, the_line, strstr(the_line, " ") - the_line);
if (strcmp(cmd, "DOIT") == 0) {
// ... do it ...
return 0;
} else if (strcmp(cmd, "FORGETIT") == 0) {
// ... forget it ...
return 0;
}
return 42; // unknown command, return the ultimate answer
}
What exactly happens if strlen(cmd) is > 42? It overwrites stack memory,
because cmd is on the stack. And what's in that memory? i.e. the return
address of foo(). So for example you load some_string with machine code
of your choice. Then you overwrite the return address of foo() with cmd.
What happens? Well, when foo() is ready, the return address is fetched
from the stack. And there stands cmd. Then the code at cmd is executed,
the code the attacker injected.
> If all my memory is dynamically allocated and processed, then
> this shouldn't be a problem for me. Correct?
It depends where that memory is. If it is on the heap, it can be very
difficult to reach stack space from there. But better check input
boundaries every time.
VB.
-- X-Pie Software GmbH Postfach 1540, 88334 Bad Waldsee Phone +49-7524-996806 Fax +49-7524-996807 mailto:vb@x-pie.de http://www.x-pie.de
- Next message: Tim Wilkinson: "Re: iptables, static nats to multiple DMZ based servers"
- Previous message: Jem Berkes: "Re: Writing a SECURE daemon"
- In reply to: Mario L. Mueller: "Writing a SECURE daemon"
- Next in thread: Mario L. Mueller: "Re: Writing a SECURE daemon"
- Reply: Mario L. Mueller: "Re: Writing a SECURE daemon"
- Reply: Ilari Liusvaara: "Re: Writing a SECURE daemon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
