Return to BSD News archive
Xref: sserve comp.os.386bsd.questions:11944 comp.os.386bsd.development:2357 comp.os.386bsd.misc:2935
Newsgroups: comp.os.386bsd.questions,comp.os.386bsd.development,comp.os.386bsd.misc
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msuinfo!agate!howland.reston.ans.net!pipex!sunic!trane.uninett.no!eunet.no!nuug!EU.net!uunet!brunix!mhw
From: mhw@cs.brown.edu (Mark Weaver)
Subject: Re: Why does FreeBSD 1.1.5 say gets() is unsafe?
Message-ID: <1994Jul31.052235.13416@cs.brown.edu>
Sender: news@cs.brown.edu
Organization: Brown University Department of Computer Science
References: <30lrf3$2ii@acmez.gatech.edu> <ASAMI.94Jul25151654@forgery.cs.berkeley.edu> <311m2e$o33@agate.berkeley.edu> <311uec$4cm@grapevine.lcs.mit.edu>
Date: Sun, 31 Jul 1994 05:22:35 GMT
Lines: 29
In article <311uec$4cm@grapevine.lcs.mit.edu>,
Garrett Wollman <wollman@ginger.lcs.mit.edu> wrote:
>I wonder what it would take to convince gets() to execute `system("rm
>-rf /")'...
First let me say that a program which uses gets() is not inherently
insecure if it only reads from a secure source (a trusted file or
output from another trusted program).
However, if it reads from an insecure source, and gets() reads into
a local character array, it can be used to carefully overwrite the
stack, so that when the function returns, it actually returns to
the start of the system() routine in libc with a pointer to "rm
-rf /" at the appropriate place on the stack. The pointer would
be to a place slightly earlier in the stack which would also be
overwritten.
This may seem infeasible, but it really is quite doable. All you
need to know is the load address of system() and the address of
the stack pointer when the given routine is called.
Mark
--------------------------------------------------------------------
Email: Mark_Weaver@brown.edu | Brown University
PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science
--
--------------------------------------------------------------------
Email: Mark_Weaver@brown.edu | Brown University
PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science