your snprintf does nothing for you. You can still overwhelm it with too many format characters. Do the reading before you post ways for people to fix a problem.
Please don't pass yourself off as an expert offering advice on how to fix the problem unless you really are! --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Nope, not exactly a buffer overflow. It is a form of stack smashing attack. essentially you use a format string with a whole bunch of %x or % whatevers. As printf goes through, it reads the value of these like a vararg function, it starts with the address in the frame that would normally hold the second parameter (Which wasn't passwed) and continues to read and attemp to format memory. Since parameters weren't passed, the memory it is dealing with is the actual text of the executable. After a while, Boom, you get a coredump in the setuid executable. End game. Take a look at lwn.net for a really good explanation. --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
This is actually a problem in the gettext routine. It allows a person With a local account to create a custom locale that includes format strings inside the internationalization code. The answer is simple, drop the locale related variables from setuid environments. What was not mentioned in the article is that for the current cases, this requires a local account on the machine and setuid that doesn't drop the correct variables from the environment. If you don't use internationalized setuid programs, you should be okay.
Mike --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
I went to a big football school, The Ohio State University. For every football student that couldn't read, I can show you 10 non football students who couldn't read. The only real difference is that you hear the football players talk on TV. People that play football for a university are helping, just as the students are. Quite a few people hear about OSU because our sports teams are consistently good. Our last two presidents have worked hard to increase our educational standards as well. Football is just good marketing for us.
It's pretty sad that people on slashdot are so exclusive. Sure, your average football player may not have the same IQ as some of the people here. They may not know anything about our beloved computers. Just remember, you probably don't know a whole lot about their interests. They can probably call you stupid because you don't know much about football.
There are uneducated people everywhere you go. Try to have some tolerance and understanding. At least the football players have some motivation and drive to try to do something! --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
I'm sorry to hear that you dropped out. You did have a choice though. I put myself through school while working full time. The key is to make sure your employer is flexible and to make sure you work hard. If you aren't willing to put in 80 hours a week between school and work, that is fine, as long as you understand you made your choice. School is not meant to be easy. I applaud any school that makes their students work hard.
My recommendation to those that want to work while in school is to make sure your employer knows that you taking 1 or 2 classes a quarter is a condition for your employment. If you work hard enough to become very good at what you do, this shouldn't be a problem. If you don't want to work this hard, you get what you put in. --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
This has been done by many people before. Victorias Secret Catalog has done this for years. They ask for a catalog code when you call in. That lets them know which price they should charge. They do this for marketing purposes to see how much they can charge the consumer for.
They are just trying to maximize revenue. If they find out they can sell it for 20% more and loose 1% of the sales, they will. They are searching for the most profitable price. --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Couldn't you call it circumventing an access control mechanism? Obviously css was broken quickly as well, does that constitute encryption?
Note: I am responding to all comments to my post here The reason I mentioned the DMCA and encryption is that the output of the wand is not the actual barcode, it is a modified (base64+xor) version. It sounds like the reverse engineering of this data is what concerns the company.
I was glad to see the number of constructive and correcting replies to my comment. I like ot know when I am wrong about something, and I really like it when people explain my mistake nicely.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Then you would need a legally binding contract signed by both parties. You can't just hand somebody something and then say that it was given under a list of terms and conditions. You have the right to be notified of the terms and conditions before you accept them.
Also, doesn't the right of first sale come in to play here? Once they give it away, they are stuck with whatever I choose to use it for.
As one final note, I know that they will say encryption was broken under the DMCA, however, when you read this you are breaking my encryption of the post. I encrypted it by converting all characters to their ascii values. Everyone who reads this posted has now broken my encryption to view copyrighted material. --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
There is a cost involved in making buildings and businesses handicapped accessible. The number of handicapped people is low enough that it is not a good profit/loss incentive to make your business accessible. The laws were created because nothing was accessible. Now that the government has prodded things are changing, albeit at a cost to all consumers. Equal access and an end to discrimintation is important enough that it should not be left up to capitalistic moderation. --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
If you have a box on the net you really need to make sure that addresses coming in on an interface match the interface. There should be plenty of example firewall scripts that do just that. It is important to make sure people can't tunnel into your firewall and look like they are coming from inside your network.
As a rule, 127.* should only be accepted on loopback, if you use 192.168.*, only packets addressed to addresses in that range and coming from that range should be accepted.
Publicly accessible interfaces MUST drop all packets with destination and source addresses in the unroutable range. --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
You will probably find that the companies that benefit from the research also funded it. In the academic community, I would suspect the majority of grant money comes from industry looking for research to help their given field. Without industry funding the research, it probably wouldn't occurr.
If industry is funding the research, why shouldn't they profit from it. If the university allows its people to do research for corporations, why shouldn't they get a piece of the pie as well! --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Actually, on non braindead systems this is not the case. Most UNIX systems do not allow you to give away files. If you can give away files to root and other users, you can easily defeat the quota systems. You can also create some subtle attacks on various things like global.forward directories.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
You must have misread the article. 1600 new doctors a year -500 doctors to the U.S. is not a net loss of doctors. It is, in fact a net gain of roughly 1100 doctors a year. --
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Sun microsystems has a desktop system called a sunray that does exactly what you describe above. Each person has a card that identifies them. When you want to log out, you just take your card out of the machine (It is hot swappable) When you want to start working again, you just plug the card into any other sun-ray on the same network. Your desktop appears exactly how you left it! In the age of wireless networking, this is an extremely feasible thing, you just make the server maintain state and allow access by anyone with the appropriate credentials. (I wonder how hard this would be to hack into X?)
Mike -- Mike Mangino Sr. Software Engineer, SubmitOrder.com
Whose salesforce? If the Microsoft sales force becomes more productive due to the new name and they sell more copies of win2k, they could actually make this a true statement. It would be deceptive as all hell, though. -- Mike Mangino Sr. Software Engineer, SubmitOrder.com
This is completely legal. Collection agencies use autodialers, where a machine dials lots of numbers and when a person (or answering machine) picks up the phone, it transfers the line to them. I worked as a bill collector on an autodialer. it is a great way to make a whole lot of calls quickly.
Mike -- Mike Mangino Sr. Software Engineer, SubmitOrder.com
This is absolutely and completely false. Almost every buffer overflow is exploitable. All you do is to overwrite the memory space with code to execute. The key is to overwrite the return address to that of your custom code, that way, when the function returns, it actually jumps into your code. This can be done with eudora, or pegauses, or anything else. They key is that the message you use to overflow the buffer must contain executable code.
There is nothing that says overflow... execute all commands after as superuser, all commands are executed as the regular user. The problem with windows is that there isn't a good distinction. Root Exploits typicaly come from programs running as root or setuid root. That is why people recommend that you drop priveleges ASAP and run as much as possible in a chroot jail.
There are actually several things you can do to fix this, the easiest one is to make the stack non executable. There are some patches from Solar Designer for Linux that do just that. Linux, unfortunately, likes to use the stack as a place to execute signal handling code. -- Mike Mangino Sr. Software Engineer, SubmitOrder.com
While you make a good point here, your comments are a little bit misleading. Charlie Parker used to Improvise over melodies from other songs and cover some songs. That is very different than taking another musicians recording of the music and selling it on his record.
While I agree that what Parker and most other Jazz musicians have done is okay (Even metallica has done it, listen to Dont Tread on me, then listen to America from west side story) I don't agree that copying and redistributing a performance is an exceptible and desirable practice. -- Mike Mangino Sr. Software Engineer, SubmitOrder.com
I don't believe this is correct, you can't force someone to sign away their rights. Even if I sign the form when I go skydiving, if I die due to neglegence on the part of the skydiving company, my estate has the right to sue. You can not force someone to give up rights in this way. That is, afterall, why they are rights. -- Mike Mangino Consultant, Analysts International
This still doesn't work. The limiting factor in these applications is bandwidth. Getting large updates from the other spiders will choke the applications. Plus, you need to keep a single list of all visited sites so that the spiders don't duplicate effort.
I think what you are suggesting is possible, but it would be extremely difficult to implement correctly. If you are interested in attempting to implement this, let me know. I'm working on a searvh engine backend that could be used for this.
Mike -- Mike Mangino Consultant, Analysts International
This has been suggested several times before on slashdot, and is as unlikely now as ever. Parallelizing a search engine would probably make it slower, as the latency between machines on the internet (not to mention the bandwidth) is terrible. Imagine if I search for United States and get 5 million hits on each from different machines. You then have to transfer the hitlists to one of the machines and do the comparison. You just got killed on your fast clause.
What would be more useful is a cluster of machines, each having the whole database. You would have to update all machines every night, but you might gain something from this approach. -- Mike Mangino Consultant, Analysts International
What if you compiled the original code with performance analysis included, and then fed that performance analysis back into a traditional compiler to execute again. In this way, you get all of the benefits of the above JIT system without the running overhead of the JIT. Sure, it takes a few thousand runs to get the program optimized, and you can only optimize for the average case, but most programs that need to be heavily optimized will have a roughly similar executaion pattern every time.
I may be wrong, but you can do this with the SUNWspro workshop compilers. This technology would be nice to have in gcc as well.
Mike -- Mike Mangino Consultant, Analysts International
This isn't at all like your landlord saying you can only have sex in the missionary position. It is more like your landlord saying you can't run a hotel or a business from your residence, or that you can't use your residence as a homeless shelter. All of these things go against the intended use of the facility, and against the agreed use of the facilities.
You have rights in your own house only as long as you aren't infringing on other peoples rights. If I start a homeless shelter in my house, I can be thrown out for being too loud or violating my agreement with my landlord. If you use napster and cause the network to slow down, you should be kept from using napster.
Personal liberties are great, as long as you realize that your personal liberties don't take precedence over mine. -- Mike Mangino Consultant, Analysts International
I have a 1.5 year old Pbook G3 that runs Linux and MacOS. Linuxppc isn't as nice as I would like (the development stuff sucks in my experience, although I could have screwed up the install) I've had great luck with yellow dog linux though. My only complaint is the lack of accelerated video drivers. Again, that may be my inexperience. I have found linuxppc and YDL a little more difficult to get up and running than INTEL or SPARC, but in general things run great. -- Mike Mangino Consultant, Analysts International
Unless major plans change, the rumors are true. The CLI won't install by default, but can be installed. It certainly works in the developers previews and Mac OS X Server. -- Mike Mangino Consultant, Analysts International
Slashdot Mirror
your snprintf does nothing for you. You can still overwhelm it with too many format characters. Do the reading before you post ways for people to fix a problem.
Please don't pass yourself off as an expert offering advice on how to fix the problem unless you really are!
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Nope, not exactly a buffer overflow. It is a form of stack smashing attack. essentially you use a format string with a whole bunch of %x or % whatevers. As printf goes through, it reads the value of these like a vararg function, it starts with the address in the frame that would normally hold the second parameter (Which wasn't passwed) and continues to read and attemp to format memory. Since parameters weren't passed, the memory it is dealing with is the actual text of the executable. After a while, Boom, you get a coredump in the setuid executable. End game. Take a look at lwn.net for a really good explanation.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
This is actually a problem in the gettext routine. It allows a person With a local account to create a custom locale that includes format strings inside the internationalization code. The answer is simple, drop the locale related variables from setuid environments. What was not mentioned in the article is that for the current cases, this requires a local account on the machine and setuid that doesn't drop the correct variables from the environment. If you don't use internationalized setuid programs, you should be okay.
Mike
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
I went to a big football school, The Ohio State University. For every football student that couldn't read, I can show you 10 non football students who couldn't read. The only real difference is that you hear the football players talk on TV. People that play football for a university are helping, just as the students are. Quite a few people hear about OSU because our sports teams are consistently good. Our last two presidents have worked hard to increase our educational standards as well. Football is just good marketing for us.
It's pretty sad that people on slashdot are so exclusive. Sure, your average football player may not have the same IQ as some of the people here. They may not know anything about our beloved computers. Just remember, you probably don't know a whole lot about their interests. They can probably call you stupid because you don't know much about football.
There are uneducated people everywhere you go. Try to have some tolerance and understanding. At least the football players have some motivation and drive to try to do something!
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
I'm sorry to hear that you dropped out. You did have a choice though. I put myself through school while working full time. The key is to make sure your employer is flexible and to make sure you work hard. If you aren't willing to put in 80 hours a week between school and work, that is fine, as long as you understand you made your choice. School is not meant to be easy. I applaud any school that makes their students work hard.
My recommendation to those that want to work while in school is to make sure your employer knows that you taking 1 or 2 classes a quarter is a condition for your employment. If you work hard enough to become very good at what you do, this shouldn't be a problem. If you don't want to work this hard, you get what you put in.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
This has been done by many people before. Victorias Secret Catalog has done this for years. They ask for a catalog code when you call in. That lets them know which price they should charge. They do this for marketing purposes to see how much they can charge the consumer for.
They are just trying to maximize revenue. If they find out they can sell it for 20% more and loose 1% of the sales, they will. They are searching for the most profitable price.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Couldn't you call it circumventing an access control mechanism? Obviously css was broken quickly as well, does that constitute encryption?
Note: I am responding to all comments to my post here The reason I mentioned the DMCA and encryption is that the output of the wand is not the actual barcode, it is a modified (base64+xor) version. It sounds like the reverse engineering of this data is what concerns the company.
I was glad to see the number of constructive and correcting replies to my comment. I like ot know when I am wrong about something, and I really like it when people explain my mistake nicely.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Then you would need a legally binding contract signed by both parties. You can't just hand somebody something and then say that it was given under a list of terms and conditions. You have the right to be notified of the terms and conditions before you accept them.
Also, doesn't the right of first sale come in to play here? Once they give it away, they are stuck with whatever I choose to use it for.
As one final note, I know that they will say encryption was broken under the DMCA, however, when you read this you are breaking my encryption of the post. I encrypted it by converting all characters to their ascii values. Everyone who reads this posted has now broken my encryption to view copyrighted material.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
There is a cost involved in making buildings and businesses handicapped accessible. The number of handicapped people is low enough that it is not a good profit/loss incentive to make your business accessible. The laws were created because nothing was accessible. Now that the government has prodded things are changing, albeit at a cost to all consumers. Equal access and an end to discrimintation is important enough that it should not be left up to capitalistic moderation.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
If you have a box on the net you really need to make sure that addresses coming in on an interface match the interface. There should be plenty of example firewall scripts that do just that. It is important to make sure people can't tunnel into your firewall and look like they are coming from inside your network.
As a rule, 127.* should only be accepted on loopback, if you use 192.168.*, only packets addressed to addresses in that range and coming from that range should be accepted.
Publicly accessible interfaces MUST drop all packets with destination and source addresses in the unroutable range.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
You will probably find that the companies that benefit from the research also funded it. In the academic community, I would suspect the majority of grant money comes from industry looking for research to help their given field. Without industry funding the research, it probably wouldn't occurr.
If industry is funding the research, why shouldn't they profit from it. If the university allows its people to do research for corporations, why shouldn't they get a piece of the pie as well!
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Actually, on non braindead systems this is not the case. Most UNIX systems do not allow you to give away files. If you can give away files to root and other users, you can easily defeat the quota systems. You can also create some subtle attacks on various things like global .forward directories.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
You must have misread the article. 1600 new doctors a year -500 doctors to the U.S. is not a net loss of doctors. It is, in fact a net gain of roughly 1100 doctors a year.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Sun microsystems has a desktop system called a sunray that does exactly what you describe above. Each person has a card that identifies them. When you want to log out, you just take your card out of the machine (It is hot swappable) When you want to start working again, you just plug the card into any other sun-ray on the same network. Your desktop appears exactly how you left it! In the age of wireless networking, this is an extremely feasible thing, you just make the server maintain state and allow access by anyone with the appropriate credentials. (I wonder how hard this would be to hack into X?)
Mike
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Whose salesforce? If the Microsoft sales force becomes more productive due to the new name and they sell more copies of win2k, they could actually make this a true statement. It would be deceptive as all hell, though.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
This is completely legal. Collection agencies use autodialers, where a machine dials lots of numbers and when a person (or answering machine) picks up the phone, it transfers the line to them. I worked as a bill collector on an autodialer. it is a great way to make a whole lot of calls quickly.
Mike
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
This is absolutely and completely false. Almost every buffer overflow is exploitable. All you do is to overwrite the memory space with code to execute. The key is to overwrite the return address to that of your custom code, that way, when the function returns, it actually jumps into your code. This can be done with eudora, or pegauses, or anything else. They key is that the message you use to overflow the buffer must contain executable code.
There is nothing that says overflow... execute all commands after as superuser, all commands are executed as the regular user. The problem with windows is that there isn't a good distinction. Root Exploits typicaly come from programs running as root or setuid root. That is why people recommend that you drop priveleges ASAP and run as much as possible in a chroot jail.
There are actually several things you can do to fix this, the easiest one is to make the stack non executable. There are some patches from Solar Designer for Linux that do just that. Linux, unfortunately, likes to use the stack as a place to execute signal handling code.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
While you make a good point here, your comments are a little bit misleading. Charlie Parker used to Improvise over melodies from other songs and cover some songs. That is very different than taking another musicians recording of the music and selling it on his record.
While I agree that what Parker and most other Jazz musicians have done is okay (Even metallica has done it, listen to Dont Tread on me, then listen to America from west side story) I don't agree that copying and redistributing a performance is an exceptible and desirable practice.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
I don't believe this is correct, you can't force someone to sign away their rights. Even if I sign the form when I go skydiving, if I die due to neglegence on the part of the skydiving company, my estate has the right to sue. You can not force someone to give up rights in this way. That is, afterall, why they are rights.
--
Mike Mangino Consultant, Analysts International
This still doesn't work. The limiting factor in these applications is bandwidth. Getting large updates from the other spiders will choke the applications. Plus, you need to keep a single list of all visited sites so that the spiders don't duplicate effort.
I think what you are suggesting is possible, but it would be extremely difficult to implement correctly. If you are interested in attempting to implement this, let me know. I'm working on a searvh engine backend that could be used for this.
Mike
--
Mike Mangino Consultant, Analysts International
This has been suggested several times before on slashdot, and is as unlikely now as ever. Parallelizing a search engine would probably make it slower, as the latency between machines on the internet (not to mention the bandwidth) is terrible. Imagine if I search for United States and get 5 million hits on each from different machines. You then have to transfer the hitlists to one of the machines and do the comparison. You just got killed on your fast clause.
What would be more useful is a cluster of machines, each having the whole database. You would have to update all machines every night, but you might gain something from this approach.
--
Mike Mangino Consultant, Analysts International
What if you compiled the original code with performance analysis included, and then fed that performance analysis back into a traditional compiler to execute again. In this way, you get all of the benefits of the above JIT system without the running overhead of the JIT. Sure, it takes a few thousand runs to get the program optimized, and you can only optimize for the average case, but most programs that need to be heavily optimized will have a roughly similar executaion pattern every time.
I may be wrong, but you can do this with the SUNWspro workshop compilers. This technology would be nice to have in gcc as well.
Mike
--
Mike Mangino Consultant, Analysts International
This isn't at all like your landlord saying you can only have sex in the missionary position. It is more like your landlord saying you can't run a hotel or a business from your residence, or that you can't use your residence as a homeless shelter. All of these things go against the intended use of the facility, and against the agreed use of the facilities.
You have rights in your own house only as long as you aren't infringing on other peoples rights. If I start a homeless shelter in my house, I can be thrown out for being too loud or violating my agreement with my landlord. If you use napster and cause the network to slow down, you should be kept from using napster.
Personal liberties are great, as long as you realize that your personal liberties don't take precedence over mine.
--
Mike Mangino Consultant, Analysts International
I have a 1.5 year old Pbook G3 that runs Linux and MacOS. Linuxppc isn't as nice as I would like (the development stuff sucks in my experience, although I could have screwed up the install) I've had great luck with yellow dog linux though. My only complaint is the lack of accelerated video drivers. Again, that may be my inexperience. I have found linuxppc and YDL a little more difficult to get up and running than INTEL or SPARC, but in general things run great.
--
Mike Mangino Consultant, Analysts International
Unless major plans change, the rumors are true. The CLI won't install by default, but can be installed. It certainly works in the developers previews and Mac OS X Server.
--
Mike Mangino Consultant, Analysts International