HackDig : Dig high-quality web security articles for hackers

«No Previous
No Next

Hacking with the Oldies!, (Thu, Oct 30th)

2014-10-30 10:40

Recently we seem to have a theme of new bugs in old code - first (and very publically) openssl and bash. This past week weve had a bunch more, less public but still neat bugs.

First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) - http://cxsecurity.com/issue/WLB-2014100174

These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit - we all use these every day.

Who knew? Coders who wrote stuff in C back in the day didnt always write code that knew how much was too much of a good thing. Now that were all looking at problems with bounds checking on input data, expect to see at least a couple more of these!

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: ssr;pma&79881=diyrots?lmth.yraid/ude.snas.csi

Read:2914 | Comments:0 | Tags:No Tag

“Hacking with the Oldies!, (Thu, Oct 30th)”0 Comments

Submit A Comment



Blog :

Verification Code: