[lug] Security notice and Ramen

Keith Herold herold at cslr.Colorado.EDU
Tue Jan 23 15:34:05 MST 2001 

I thought that the gnu string libraries had some overflow safe variants, allowing
only n characters where n is the size of the buffer, and automatically append a
\0.  Don't remember the names, although CERT or one of the bugtraq pages ought to
detail them.

--Keith

"D. Stimits" wrote:

> "Scott A. Herod" wrote:
> >
> > Not Ramen itself but I have had to deal with an attack from the
> > same root kit.  ( New rule, if you put up a machine outside
> > the firewall, and don't follow the network rules, some friends with
> > tin snips will come visit you and emacs is going to be hard for you to
> > use again. )
> >
> > I'm only familiar with the 6.2 exploit and there, as the advisory
> > probably mentioned, a patched version of statd have been available
> > at least since Nov.
> >
> > As for other holes, I'm sure new ones will be found.  For example,
> > how old is the lpd attack used against RH 7.0?  ( Of course, I've
> > not written enough C/C++ networking code to understand why it's so
> > hard to close buffer overflow attacks. )
>
> A big part of making buffer overflow popular is because of functions
> that expect a NULL-terminated string (i.e., sprintf/sscanf and friends
> are easy to find and work on; using snprintf avoids much of that iff the
> length of the string measured is itself safe, not depending on NULL).
> Those functions are usually part of glibc, and well-known how to work on
> them to break them.
>
> A nice way to avoid making your C/C++ app a target is to not use
> NULL-terminated char string C/C++ functions (for example, use a
> std::string instead of char*), without a predefined means of limiting
> how far it is going to allow that string length limit. How many
> applications out there might use a char* style string? HUGE list.
>
> >
> > Scott
> >
> > John Starkey wrote:
> > >
> > > Has anyone had to deal with the ramen toolkit? I was just made aware that
> > > some machines on the same network as mine have been compromised. I'm not
> > > running any of the specified services and it looks like i'm clear but CERT
> > > just issued the Incident Note last week. So i'm wondering if there are any
> > > other holes that could be used?
> > >
> > > Funny, their using /usr/src/.poop as the root dir. Such jokers :}
> > >
> > > TIA,
> > >
> > > John
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list