[Esa-l] html-trap.procmail 1.113 a bit too hair triggered...

Brian Hanna bdhanna at cmrr.umn.edu
Thu Jul 27 10:06:30 PDT 2000


"Bjarni R. Einarsson" wrote:
> 
> I'd actually be very interested to hear how many characters
> people consider "safe" - how much uninterrupted crap is
> generally required to create a working exploit.  How much is
> needed to overflow a buffer probably varies quite a bit, and
> blindly using the Outlook numbers doesn't strike me as a good
> idea.
> 
> I also have the sneaky feeling that it doesn't always take that
> many bytes to write an exploit... anyone here who has seen the
> demos people could write in 4k on the PC will know where I'm
> coming from. :-)  The exploit demo'ed on Bugtraq did quite a few
> things, I suspect tighter code could have still left the system
> vulnerable well within 256 characters (assuming the buffer gods
> were willing).

I saw something very scary posted to a newgroup/mailinglist once. It
was less than 256 bytes and would (if placed at the proper location
to be executed by a process with privileges) start a shell as
root and set it listening to a port on your machine.

And then the fellow explained it, line by line. (shudder) There
was apparently a contest - who could do it in the least amount
of code...

Now causing the buffer overflow would most likely take a lot
more characters. This was just the easter egg. But someone could
target your 121 byte word limit by just throwing in a few spaces
once in awhile, no?

Allowing infinite headers seems wrong, somehow, although I can't
explain it. Perhaps it is just the invitation to exploit a 
possible buffer overflow. Chop 'em off! That's what I'd do, and
to heck with those who send 800+ byte subject lines!

Just my 0.02 worth...

Brian

Brian Hanna
Unix Admin
Email Administrator
and part time virus stomper...




More information about the esd-l mailing list