[Esa-l] html-trap.procmail 1.113 a bit too hair triggered...
Phil Pennock
pdp at nl.demon.net
Fri Jul 28 04:41:30 PDT 2000
On 2000-07-27 at 12:06 -0500, Brian Hanna wrote:
> Now causing the buffer overflow would most likely take a lot
> more characters. This was just the easter egg. But someone could
> target your 121 byte word limit by just throwing in a few spaces
> once in awhile, no?
I've seen exploits on BugTraq which just required _one_ character more
than the buffer-length allowed for.
And this is email - if you want to actually use more code, you 'just'
need to include it in the message body and cause a jump to there. My
assembler isn't up to that, but jumping to exploit code on the heap,
obtained without any buffer-length restrictions _there_, has been
documented for at least one vulnerability on BugTraq. Documented in a
"here's how you do it generally" way.
Anything which tries to protect broken software can only make a best
effort attempt. You're not going to catch all the possible exploits,
and if you treat the sanitizer as more than a useful tool to _limit_ the
danger, then you're deceiving yourself.
*shrugs* Sorry, that's the way the world is.
--
Phil Pennock <pdp at nl.demon.net> <Phil.Pennock at thus.net>
Demon Internet Nederland -- Network Operations Centre -- Systems Administrator
Libertes philosophica.
Sales: +31 20 422 20 00 Support: 0800 33 6666 8
More information about the esd-l
mailing list