From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: * X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_20,INVALID_MSGID, SYSADMIN autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,f3f9104dada53163 X-Google-Attributes: gid103376,public From: Roy Grimm Subject: Re: An interesting quote on Java and C++ Date: 1997/09/11 Message-ID: <3417ECEF.41C6@collins.rockwell.com>#1/1 X-Deja-AN: 271589401 References: <5ujjvq$t4s@drn.zippo.com> <01bcb881$915526a0$d7000064@sim01.amst.co.at> <34157a82.81185415@news.mindspring.com> <3416C84A.5BD0@gsfc.nasa.gov> Organization: Rockwell Collins, Inc. Newsgroups: comp.lang.ada Date: 1997-09-11T00:00:00+00:00 List-Id: Stephen Leake wrote: > > Range constraints provide significant security benefits, at least in > systems without separate address spaces. If you can write "past" the > end of an array, you can write to arbitrary memory, including system > memory. I believe there are several Windows/DOS viruses that use this > trick, but I'm not really sure. A particularly famous example of missing range checking causing a major security hole was that virus that took down hundreds of computers on the internet several years ago. The guy who built the virus used three known security holes to get his virus around. The one I can remember the best had to do with sending specially formatted "finger" request packets. The finger daemon on Unix systems has a buffer to hold the incoming finger request data. On some particular flavor of Unix, if one decided to send a specially formatted finger request packet (around 530 bytes if memory serves), they would overrun the end of the buffer. Now, overrunning the end of a buffer in many programs is not too critical, if you consider a crash not too critical. However, on particular versions of unix, the finger daemon put executable code right after that buffer. When you overrun the end of that buffer, you overwrite its code. When the program gets to that code that you have overwritten, it will do whatever you put there. Since the finger daemon runs with the system administrator's user ID on those systems, the code you put in has global access to everything. That's a major security hole in anyone's book. I believe the person who wrote the virus put in code which transferred the main virus program from another site and then ran it, respawning the finger daemon in the process so people wouldn't notice as easily. Had there been range checking of the incoming request data along the line, the hole would not be there. > - Stephe -- Roy A. Grimm Rockwell Collins Avionics, Cedar Rapids, Iowa Voicing my own opinion, not speaking as a company representative. All unsolicited email is quietly forwarded to /dev/null.