Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq?

Senkwe — Fri, 29 Oct 2004 19:54:00 GMT

Wow :-). Anyway I don't think that was an official fix though, just one guy "patching" his own source. I'm pretty sure this fix wouldn't have made it into the release version.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Michael Howard — Fri, 29 Oct 2004 19:58:00 GMT

You are absolutely correct - this is not an Apache Group fix, and I updated the text to reflect this.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Mike Dimmick — Fri, 29 Oct 2004 20:35:00 GMT

It almost looks as though that user has blindly searched for strcpy in the sources and replaced with strncpy - missing the point that strcpy *can* be safe *if-and-only-if* you've already checked the length of the string you're going to copy and you're sure it will fit. The line just above the diff context reads:

if ((strlen(user) + 1 + strlen(cpw)) > (rlen - 1)) {

where record and rlen are arguments to the function.

Mind you, if you've done that, you might as well call memcpy - since you already know the length, there's no need to check for the null terminator, requiring only a counted copy.

This reinforces my general feeling about open source. If this is the quality of the 'many eyes' looking at the code, how can you say that the quality will be in any way improved over commercial development - or even equal it? This user knows just enough to be dangerous.

Even more ironic is that this code appears to be part of a user tool (also named htpasswd) for generating .htpasswd files. It could generate erroneous files, but is unlikely to be risky unless it's configured to be setuid on a UNIX system, in which case a local user could elevate their privileges. That's specifically advised against in a comment at the top of the source file.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Fri, 29 Oct 2004 21:25:00 GMT

Someone should forbid standard C text-parsing functions. Time has demonstrated that people fall on them again and again - no matter if it's open or comercial code. C is not a bad language ("too simple" yes, "bad" no) but it seems it's _hard_ to find good C programmers (well, it's difficult to find good programmers no matter what language, that's why someone should write functions that encourage "good code", not like strcpy which only encourages bad code)

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

SRD — Fri, 29 Oct 2004 21:52:00 GMT

I presume the first strncpy is used because record is defined to be of size MAX_STRING_LEN. If that is the case then
strcat(record, ":") can also be a buffer overflow (if the string length of "user" is MAX_STRING_LEN or more). Of course, if record was defined as MAX_STRING_LEN + 1 you would be fine. But I share your hatred of these function. I personally prefer using STL and using the append method myself.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Saurabh Jain — Sat, 30 Oct 2004 09:05:00 GMT

Well, that's why VS 2005 CRT has secure versions of these functions. Checkout strncat_s at http://msdn2.microsoft.com/library/w6w3kbaf.aspx.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Smeg — Sat, 30 Oct 2004 17:26:00 GMT

Maybe its not the developer that was wrong, maybe it was his documents explaining it badly? If you want a serious buggy spec, read WAP. I bet I can crash ANY wap gateway within SECONDS ANYTIME ANYPLACE. IF you want proof, set up me a WAP GATEWAY and watch me crash it within microseconds. Want to know how? Hehehe. EVERY WAP GATEWAY IS VULNERABLE, why? BECAUSE THE SPECS ARE SO BADLY DESIGNED and WRITTEN.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Smeg — Sat, 30 Oct 2004 17:25:00 GMT

I can back up what I say. Not only gateways, devices too.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Smeg — Sat, 30 Oct 2004 17:27:00 GMT

Bad documentation means bad implementation. WAP is a prime example of this (not to mention old MSDN docs :D)

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

厚重之刀 — Mon, 01 Nov 2004 08:46:00 GMT

It's very hard to void some bugs.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Jack Mayhoff — Mon, 01 Nov 2004 10:28:00 GMT

2 words, Static analysis

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

anonymous — Mon, 01 Nov 2004 15:03:00 GMT

you loath it or you loathe it? :-)

Nice article.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Michael Howard — Mon, 01 Nov 2004 16:55:00 GMT

That's too funny, I have to be totally honest, i *DID NOT KNOW* there were two variants. And to be accurate, I LOATHE them :)

You learn something everyday ;)

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Michael Howard — Mon, 01 Nov 2004 16:56:00 GMT

>>2 words, Static analysis
One word, Education.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Jack Mayhoff — Mon, 01 Nov 2004 19:43:00 GMT

Ahh because yanky doodle education is the best in the world, who would have thunk it, how much did yours cost?

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Michael Howard — Mon, 01 Nov 2004 19:53:00 GMT

Right now, few schools teaching secure design and coding, so the slack must be picked up by industry. Simple as that, really.

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Michael Howard — Mon, 01 Nov 2004 20:02:00 GMT

>>2 words, Static analysis
One word, Education.

Education shouldnt be capitalised after a comma. So much for education on you.

Industry needs to do more

James — Wed, 03 Nov 2004 06:08:00 GMT

> Right now, few schools teaching secure design and coding, so the slack must be picked up by industry.

Simple, sure, but experience has shown the industry is NOT doing a good enough job. The same types of bugs/exploits/problems show up over, and over, and over...

re: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!

Essive — Wed, 24 Nov 2004 15:58:00 GMT

The art of programming has definitely declined in the last 10 years. Sloppy coding practices are now the norm - due to too many self-proclaimed programmers from the .com era and vastly inexperienced offshore developers.

When we lived in the C/C++ era the experience, tools and practices were reaching a very mature level by the early to mid-90s.

Windows Vista Security – A Bigger Picture

Michael Howard's Web Log — Mon, 12 Jun 2006 17:44:14 GMT

A couple of people have asked about the relationship between /GS, SAL and ASLR in Windows Vista. Here’s...

Defense In Depth: The Bigger Picture of Windows Vista Security

Robert McLaws: FunWithCoding.NET - Windows Vista Edition — Thu, 15 Jun 2006 21:38:55 GMT

Microsoft Security Expert Michael Howard provides a very technical explanation of the security strategies...

Michael Howard s Web Log Buffer Overflow in Apache 1 3 xx fixed on | Paid Surveys

Fri, 29 May 2009 22:48:05 GMT

PingBack from http://paidsurveyshub.info/story.php?title=michael-howard-s-web-log-buffer-overflow-in-apache-1-3-xx-fixed-on