Re: Public disclosure of discovered vulnerabilities

From: Vernon Schryver (vjs_at_calcite.rhyolite.com)
Date: 06/08/05


Date: Wed, 8 Jun 2005 08:17:52 -0600 (MDT)

In article <d85upu$1t1j$1@agate.berkeley.edu>,
David Wagner <daw-usenet@taverner.cs.berkeley.edu> wrote:

>>This whole thread is silly.
>
>If it's silly, it's because of people posting silly things.
>Like, for instance, your mention of stack overflow when I was talking
>about something else -- that was silly.

I'm unhappy about your distinction between using gets() to overflow a
buffer that happens to be on the stack to contain the compiled equilvalent
of "execve("/bin/sh",0,0);" along with changing a return address in a
stack frame to point that code versus modifying some static buffer to
some equally useful effect.

I'd complain that you have not bothered to read how the Worm worked and
refer to http://www.textfiles.com/100/tr823.txt but I can't think what
you might mean by "stack overflow." For me "stack overflow" means
trying to push (for any of the many notions of "push") too many bits
onto a stack. I agree the 80x86 SP/SS registers are a stack, but
I cannot see gets(buf) as any kind of "push".

For me, the distinction between whatever you mean by "stack overflow"
and what the Worm did makes no sense. All that needs to be said is
"here's a way to modify memory."

Do you make that distinction because you did not cut your teeth on
assembly language and so don't have an intuitive grasp of the nasty
old standard practices? Self-modifying code, jumping or falling into
the middle of instructions, reaching into the midst of libraries to
modify their code or data, and many other things were standard. For
me fiddling with return addresses in stack frames is no different from
fiddling with jump-table vectors, addresses or offsets in in jump or
branch instructions, etc. All of those were once standard programming
tools. When you are writing code where literally every bit and cycle
counts, a lot of modern sins become virtues.

Or have you swallowed the trade rag and other espurt "security community"
snake oil that draws zillions of meaningless, useless, intellectually
dishonest distinctions among vulnerabilities, such as snprintf()/sprintf()
vs. fgets/gets()?

Vernon Schryver vjs@rhyolite.com