RE: Are bad developer libraries the problem with M$ software?

This thread is making a couple of points to me:

1.  Secure coding requires intermediate skill (at minimum) in the language being used.
2.  Some languages require use of explicit security features, others require careful use of base features; see #1.
3.  Code that looks "secure" or "safe" may give a false sense of security; see #1.

All of which goes back to Fred Brooks. One skilled, disciplined developer cannot be replaced by any number of lesser skilled developers--regardless of the tools they use. And it is my belief that tools and languages differ primarily in the time it takes to get basic literacy, not in the time it takes to master them; advanced knowledge of any language/environment never takes less than about 5 years.

BTW, this whole array vs. pointer issue has a further set of subtleties that have not yet been touched on; check out "Deep C Secrets" by Peter Van Linden, who dedicates a whole chapter to this topic.

-----Original Message-----
From: Andrew Griffiths [mailto:andrewg@d2.net.au] Sent: Monday, November 18, 2002 3:11 PM
To: Casper Dik
Cc: Frank Knobbe; Michael Howard; phani@myrealbox.com; secprog@securityfocus.com
Subject: Re: Are bad developer libraries the problem with M$ software?

Hi all,

>

Another thing to use is consistency, for example,

char dst[50];
strncpy(dst, user_supplied_data, sizeof(dst)); strncat(dst, sizeof(dst) - strlen(dst) -1, moreuserdata);

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This could be exploitable if user_supplied_data is 50 or more bytes long.

In specific,

50 - 50 - 1 == -1

Since strncat's len parameter is size_t (which is unsigned), strncat is willing to append _way_ to many bytes. IIRC, some fingerd's had this problem (possibly some identd, *shrug*).

Similar things can be done to snprintf and so on. A wrapper around those   library calls could be used to check if its unsigned (and wouldn't have that much drawback, because I can't think of anything that'd do a  >2G string operation normally), by using int as opposed to size_t.

I guess this comes to the class of integer over/under flows now :)

Sincerely,
Andrew Griffiths

Get your free encrypted email at https://www.hushmail.com Received on Wed Nov 20 06:08:27 2002

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek