LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-05-2009, 04:18 PM   #1
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Post Hacker cashes in on djbdns' $1,000 security guarantee


Code:
--- response.c.orig     2009-02-24 21:04:06.000000000 -0800
+++ response.c  2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
         uint16_pack_big(buf,49152 + name_ptr[i]);
         return response_addbytes(buf,2);
       }
-    if (dlen <= 128)
+    if ((dlen <= 128) && (response_len < 16384))
       if (name_num < NAMES) {
        byte_copy(name[name_num],dlen,d);
        name_ptr[name_num] = response_len;
Yes, that's the $1,000 patch. Pretty neat, huh? The article is here, I ran into it on Slashdot.

I give serious kudos to Bernstein if he goes through with the award.

Last edited by win32sux; 03-05-2009 at 04:20 PM.
 
Old 03-05-2009, 04:37 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
I was reading about this, all quite interesting and a little embarrassing, but it's only $1,000. I don't get out of bed for less than that.
 
Old 03-05-2009, 05:15 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by win32sux View Post
Pretty neat, huh?
Indeed. Kudos to the researcher that found it.
I mean, when was the last time a vuln was found in this product?...


Quote:
Originally Posted by acid_kewpie View Post
it's only $1,000. I don't get out of bed for less than that.
This is the LQ Linux Security forum. Posting on-topic remarks is appreciated. Thanks for understanding.
 
Old 03-05-2009, 05:22 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by unSpawn View Post
Indeed. Kudos to the researcher that found it.
Oh yeah, him too.
 
Old 03-06-2009, 03:11 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
Actually I guess it would work in his favour really. Saying one security bug in a decade suggests a more secure product than one just tagged as "I think this is secure"... No idea what kind of a commercial slant he has on djbdns though... maybe more so in the near future.

Last edited by unSpawn; 03-06-2009 at 01:09 PM. Reason: Moderation
 
Old 03-06-2009, 04:10 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by acid_kewpie View Post
Actually I guess it would work in his favour really.
Most definitely. I don't know if he pictured this when he came up with the $1,000 reward, but if he did then he's pure genius. The awesome thing is that even though it's a marketing ploy, it's still based on actual proven results, which in today's world is not a common sight.
 
Old 03-07-2009, 03:33 AM   #7
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301
Well, I think it's definitely a good incentive for people to try to find bugs in it. $1000 per bug is quite a lot, IMO.
 
Old 03-07-2009, 09:59 AM   #8
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Quote:
Originally Posted by win32sux View Post
Code:
--- response.c.orig     2009-02-24 21:04:06.000000000 -0800
+++ response.c  2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
         uint16_pack_big(buf,49152 + name_ptr[i]);
         return response_addbytes(buf,2);
       }
-    if (dlen <= 128)
+    if ((dlen <= 128) && (response_len < 16384))
       if (name_num < NAMES) {
        byte_copy(name[name_num],dlen,d);
        name_ptr[name_num] = response_len;
Yes, that's the $1,000 patch. Pretty neat, huh? The article is here, I ran into it on Slashdot.

I give serious kudos to Bernstein if he goes through with the award.
This stops a buffer overflow, correct?
 
Old 03-07-2009, 12:32 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
yep.
 
Old 03-07-2009, 12:55 PM   #10
alan_ri
Senior Member
 
Registered: Dec 2007
Location: Croatia
Distribution: Debian GNU/Linux
Posts: 1,733
Blog Entries: 5

Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by abefroman View Post
This stops a buffer overflow, correct?
No.
 
Old 03-07-2009, 02:31 PM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
Quote:
Originally Posted by alan_ri View Post
No.
Am I being a muppet then? How is that not an overflow?
 
Old 03-07-2009, 03:14 PM   #12
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301
Quote:
Originally Posted by acid_kewpie View Post
Am I being a muppet then? How is that not an overflow?
I'm no expert, but I agree that it is an overflow prevention. It's checking to see that 'response_len < 16384', not sure what response_len is but it seems to be a length, and so it's probably preventing an overflow of 'response', if it exists.
 
Old 03-08-2009, 06:35 PM   #13
alan_ri
Senior Member
 
Registered: Dec 2007
Location: Croatia
Distribution: Debian GNU/Linux
Posts: 1,733
Blog Entries: 5

Rep: Reputation: 127Reputation: 127
All I wanted to say is that I think that the code in question doesn't stop a buffer overflow by itself and I based my answer on what I've read here.Correct me if I'm wrong.
 
Old 03-09-2009, 11:44 AM   #14
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301
Quote:
Originally Posted by alan_ri View Post
All I wanted to say is that I think that the code in question doesn't stop a buffer overflow by itself and I based my answer on what I've read here.Correct me if I'm wrong.
Quote:
A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when copying strings of characters from one buffer to another.
Well, that's exactly what's happening here, before the fix there was likely insufficient bounds checking.

Code:
-    if (dlen <= 128)
+    if ((dlen <= 128) && (response_len < 16384))
       if (name_num < NAMES) {
        byte_copy(name[name_num],dlen,d);
        name_ptr[name_num] = response_len;
I think the red line is somewhat dangerous without bounds checking on response_len first.
 
Old 03-12-2009, 10:45 PM   #15
alan_ri
Senior Member
 
Registered: Dec 2007
Location: Croatia
Distribution: Debian GNU/Linux
Posts: 1,733
Blog Entries: 5

Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by H_TeXMeX_H View Post
I think the red line is somewhat dangerous without bounds checking on response_len first.
Hi Tex,
Somehow I didn't saw your reply until now.
Well,I'd say that response_len checking is all that this patch is about,so of course that red line without bounds checking on response_len first would be dangerous,but that's not what I had in mind.
If you read this:
Quote:
A technically inclined and malicious user may exploit stack-based buffer overflows to manipulate the program in one of several ways:
  • By overwriting a local variable that is near the buffer in memory on the stack to change the behaviour of the program which may benefit the attacker.
  • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input filled buffer.
  • By overwriting a function pointer,or exception handler, which is subsequently executed.
or this:
Quote:
Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers.
then you'll see that this patch isn't preventing buffer overflow completly,only in a way.
There are more examples in the link I posted before.

Last edited by alan_ri; 03-12-2009 at 10:47 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: SugarCRM Announces 1,000 Customers and 1,000,000 Open Source Downloads as Momentum for Open Source Applications Grows LXer Syndicated Linux News 0 12-19-2006 05:33 AM
LXer: Stallman to keynote Korean hacker/security conference LXer Syndicated Linux News 0 10-04-2006 03:33 AM
1,000,000,000 PCs by 2010 masand Linux - News 4 11-01-2004 01:55 AM
linux security/hacker websites t3___ Linux - Security 2 07-12-2004 05:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration