[Esa-l] html-trap.procmail 1.113 a bit too hair triggered...

Phil Pennock pdp at nl.demon.net
Fri Jul 28 04:41:30 PDT 2000


On 2000-07-27 at 12:06 -0500, Brian Hanna wrote:
> Now causing the buffer overflow would most likely take a lot
> more characters. This was just the easter egg. But someone could
> target your 121 byte word limit by just throwing in a few spaces
> once in awhile, no?

I've seen exploits on BugTraq which just required _one_ character more
than the buffer-length allowed for.

And this is email - if you want to actually use more code, you 'just'
need to include it in the message body and cause a jump to there.  My
assembler isn't up to that, but jumping to exploit code on the heap,
obtained without any buffer-length restrictions _there_, has been
documented for at least one vulnerability on BugTraq.  Documented in a
"here's how you do it generally" way.

Anything which tries to protect broken software can only make a best
effort attempt.  You're not going to catch all the possible exploits,
and if you treat the sanitizer as more than a useful tool to _limit_ the
danger, then you're deceiving yourself.

*shrugs*  Sorry, that's the way the world is.
-- 
Phil Pennock                        <pdp at nl.demon.net> <Phil.Pennock at thus.net>
Demon Internet Nederland -- Network Operations Centre -- Systems Administrator
Libertes philosophica.
Sales: +31 20 422 20 00                                Support: 0800 33 6666 8




More information about the esd-l mailing list