Subject: Re: exploit with memcpy()
To: None <firstname.lastname@example.org>
From: Christos Zoulas <email@example.com>
Date: 07/02/2002 15:24:47
In article <3D21B6C2.B8D35ECB@TooLs.DE>, Wolfgang Solfrank <firstname.lastname@example.org> wrote:
>> The code executes /bin/sh and this is a method used in Apache
>> exploit. It doesn't mean memcpy() is vulnerable. However, we
>> can protect from this kind of exploit by adding checks to
>> memcpy/memmove/bcopy like the following. May I commit it?
>I strongly object this!
>While I haven't looked closely at what the program does,
>_anything_ that it does can just as easily be done without
>the help of memcpy. So the "fix" doesn't cover any exploit.
>In addition to that, it isn't the business of random libc functions
>to write messages anywhere. E.g., what about programs having closed
>stderr and opening something else, resulting in fd2 to point to some
>carefully constructed data stream that gets disturbed by your error
>message? Library functions should only write to files if they are
>documented to do so.
And we should strive to eliminate functions in libc that write errors
and warnings to stderr...