次の方法で共有


Procura-se: Processo de Desenvolvimento Seguro

Via blog da Matasano:

IBM AIX ftp gets() Multiple Buffer Overflow Vulnerabilities
iDefense Security Advisory 07.26.07
https://labs.idefense.com/intelligence/vulnerabilities/
Jul 26, 2007

I. BACKGROUND
The ftp program is a client application for accessing data stored on FTP
servers. This client is responsible for interfacing with users and
speaking the FTP protocol with remote servers.

Under AIX, the ftp
program is installed by default and is setuid root
. More information
can be found at the following URL.

...

These vulnerabilities exist due to several calls to the gets() function.
The gets() function is a deprecated C library function used to read data
from standard input into a buffer
. This function provides no way to
specify the maximum size of the buffer being read into, and therefore
allows the buffer to be overflowed.

...

The ftp program is setuid root, and executable by any user with local
access. At least one of these vulnerabilities results in a trivially
exploitable stack-based buffer overflow
.

[https://www.securityfocus.com/archive/1/474752/30/0/threaded]

 

Em resumo: software instalado por default, com setuid root, usando gets(), e compilado sem proteção de stack. Claro que não se trata de falta de expertise em segurança da IBM, que tem um dos melhores times de pesquisadores do mercado. Mas isso não adianta se você não possui um processo repetível, gerenciado e mensurado de segurança no seu desenvolvimento. Não se faz segurança com processos ad hoc.

Comments