Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Hacking with the Oldies! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hacking with the Oldies!

Recently we seem to have a theme of new bugs in old code - first (and very publically) openssl and bash.  This past week we've had a bunch more, less public but still neat bugs.

First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) -  http://cxsecurity.com/issue/WLB-2014100174

These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system.  The other common thing across these as that these utilities are part of our standard, trusted toolkit - we all use these every day.

Who knew?  Coders who wrote stuff in C back in the day didn't always write code that knew how much was too much of a good thing.  Now that we're all looking at problems with bounds checking on input data, expect to see at least a couple more of these!

===============
Rob VandenBrink
Metafore

Rob VandenBrink

458 Posts
ISC Handler
As a former C coder I believe we will see not a couple, but more like a couple of thousand bugs in the oldies...
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!