Subject: Re: exploit with memcpy()
To: TAMURA Kent <>
From: Wolfgang Solfrank <>
List: tech-security
Date: 07/02/2002 16:20:50

> The code executes /bin/sh and this is a method used in Apache
> exploit.  It doesn't mean memcpy() is vulnerable.  However, we
> can protect from this kind of exploit by adding checks to
> memcpy/memmove/bcopy like the following.  May I commit it?

I strongly object this!

While I haven't looked closely at what the program does,
_anything_ that it does can just as easily be done without
the help of memcpy.  So the "fix" doesn't cover any exploit.

In addition to that, it isn't the business of random libc functions
to write messages anywhere.  E.g., what about programs having closed
stderr and opening something else, resulting in fd2 to point to some
carefully constructed data stream that gets disturbed by your error
message?  Library functions should only write to files if they are
documented to do so.

ws@TooLs.DE     Wolfgang Solfrank, TooLs GmbH 	+49-228-985800