Monday, September 18, 2006
Buffer Overflow Where?
Recently RiseSecurity publicly disclosed a vulnerability within the XKeyboard extension for X11R6. The funny thing about this vulnerability is just how silly it really is. If you ask anyone now adays they will tell you that buffer overflows are not as straight forward as they used to be. What I mean by thins is that to find buffer overflows in source code about 5 years or so ago all anyone had to do was grep for some function known to be vulnerable. Now it is true that its a lot harder to find bugs using the same techniques. This bug however, is proof positive that the silly bugs from the past still exist in code.
static int
#if NeedFunctionPrototypes

Strcmp(char *str1, char *str2)

#else

Strcmp(str1, str2)

char *str1, *str2;

#endif

{

char str[256];

char c, *s;

for (s = str; c = *str1++; ) {

if (isupper(c))

c = tolower(c);

*s++ = c;

}

*s = '\0';

return (strcmp(str, str2));

}


We see here that str1 is directly copied into the local array str which is 256 bytes. This data copy is done with no consideration of the actual length of the data being copied or the capacity of the destination buffer which is str in this case. This is pretty much the equivilent to a direct strcpy(). Kinda makes you think just how many bugs are out there that are this easy to spot.
 
posted by bannedit at Monday, September 18, 2006 | Permalink |


0 Comments: