... age,^1.1

Many of which, I believe, would have been religious preachers if they had any humility in them.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... spots.^1.2

People have started to investigate whether some of these tasks can be automated. It turns out that some of these tools are quite successful at finding certain classes of security bugs. But no-one will guarantee you that they find all the bugs, so you still need to double check the code yourself.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... corruption.^2.1

With everyone having a different idea what a real programming language is, of course.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...sprintf.^2.2

Note that snprintf is not fully portable. See chapter  for details.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... complicated.^2.3

And in the world of buffer overflows, you never get a recount.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... strings,^2.4

There's a string class library by Dan Berstein available from http://cr.yp.to. Dan (or djb for short) is known for writing very secure code, and infamous for his copying licenses.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... pointer.^2.5

Using the -fomit-frame-pointer command line option.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... pointer.^2.6

Note that in the case of snprintf, this is not the number of characters actually stored in the buffer, but the number of characters that would have been stored if the buffer were arbitrarily large.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... here.^2.7

And compilers such as gcc warn about problems like this, which is very helpful.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... format^2.8

ELF is the binary format used by several Unixoid operating systems on Intel processors.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... harmless.^2.9

You can find such a script at TODO.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... file,^3.1

Nowadays, most systems store encrypted user passwords in a separate file named /etc/shadow, which isn't even readable by ordinary mortals.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... mind.^3.2

With the exception of sperl, which is basically a setuid root copy of the perl interpreter that emulates the s bit mechanism.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... trustworthy.^3.3

As we will see throughout this chapter, that leaves very little that can be trusted.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... passwords.^3.4

Once you have this information, you can run password guessing programs on the encrypted passwords, such as John the Ripper or Crack.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 0).^3.5

setresuid is highly non-portable. It's supported on some traditional System V Unixes such as HP-UX, and on Linux.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... resolver^3.6

This is a set of function that can be used by the application to map host names to network addresses and vice versa.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... messages.^3.7

ICMP is a low-level Internet protocol used for transmitting error information etc.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... database.^3.8

That's one mode of operation. If your system has no shadow passwords, it will modify the passwd database instead. Or if your account is defined in a NIS map, it will talk to your NIS server to have it changed. Or...well, you get the idea.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...system.^3.9

Note that on some older (early 90s) Unix systems you still used to be able to defeat this protection by setting the IFS environment variable to /. Since IFS contans the list of field separation characters, the shell would parse /usr/bin/safe_ed as an invokcation of a program called usr, passing it bin and safe_ed as arguments. Current shells such as bash are not affected by this anymore.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... value.^3.10

There is a thing called shared memory on many Unix systems, but for sanity's sake, let's pretend it's not there.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... SLIP.^3.11

SLIP, or Serial Line IP, is a protocol for sending network traffic over serial line, much like PPP but a lot simpler. Nobody uses it much anymore.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...sendmail,^3.12

If you've been involved with Unix security for a while, you've probably been waiting for this...

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... privilege.^3.13

Recent versions of bash do not interpret this variable if they recognize that they run with effective uid does not equal the real uid.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... message.^3.14

In this case, one also has to invoke sendmail with the -t option that tells it to obtain the list of recipients from the mail message.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Mallet.^4.1

In books about cryptography, the good people are always called Alice, and the bad ones are called Mallet. Makes you wonder whether all crypto people are in love with the same girl...

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... on.^4.2

Different Unices have slightly different algorithms. Some represent the PID as a string of characters in the A-Z range. But the bottom line is usually the same: the names generated are predictable.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... this,^4.3

Which it isn't.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... directories.^4.4

For those not familiar with them, Unix domain sockets are a bastard between named pipes and network sockets, and have many nice properties that can be useful in a security context. We'll come back to them in chapter .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Perl.^5.1

CGI stands for Common Gateway Interface and is a convention for invoking external commands from a HTTP web server.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... model,^5.2

There was also a stack of OSI network protocols, created by the CCITT in an attempt to standardize networking. As things go with stuff designed by national telecoms, it was huge and klunky and moribund almost from the day of its inception, and was quickly superseded by TCP/IP.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... by,^6.1

This mode of operation of a network card is usually referred to as ``promiscuous mode.''

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... sniffers.^6.2

One-time passwords are exactly what their name indicates. When authenticating over the network, the user sends an authentication token that is valid exactly once. Which means a sniffer can record the password, but it won't be of much use to him because it's not valid anymore. If you´re interested in one-time passwords, refer to XXX: add references.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... trusted.^6.3

Today, most NFS server implementations will also make sure that the NFS request originated from a host that is actually allowed to use that particular part of the file system, as specified in /etc/exports. This hasn't always been the case.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... mechanisms.^6.4

Until January 2000, US law prevented OS vendors to ship crypto software outside the US, and unfortunately, any decent network authentication schems requires some sort of crypto.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... periodically.^6.5

This abominable technique used to be employed by Novell Netware and Microsoft Windows.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... administrator,^6.6

On Linux, this is defined in the file /etc/nsswitch.conf.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... them.^6.7

In fact, LDAP lookups can be configured with a fairly high degree of security by running it over SSL connections.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... trusted.^6.8

More often than not, this sort of mismatch is in fact due to administrator mistakes.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... capacity.^7.1

Yes, this is a drawback of coding in C and assembler. Other ``reall´´ programming languages do have string classes that do proper bounds checking. I still think Pascal is for quiche eaters, though :-)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... stand-still.^7.2

XXX: needref

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... first).^7.3

Except for most Microsoft protocols that often use a little-endian byte order and call that ``Intel Byte Order.´´

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... time.^7.4

If you feel this sounds a lot like what DHCP does, you're not mistaken; DHCP is layered on top of the older BOOTP.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... clients^7.5

Remember the days when buying a hard disk was more expensive than having some poor admin spend hours to keep all those diskless machines working?

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... host.^7.6

Detailed information can be found at http://razor.bindview.com/publish/advisories/adv_NTLMSSP.html.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... extension,^7.7

JSP stands for Java Server Pages.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... field.^7.8

This is a rather sketchy description, but allow me to ignore these finer points for the sake of clarity.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... sequence.^8.1

At least according to bugtraq lore; I have no proof for this claim.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... directory.^8.2

And just in case you think this bug is so old that all affected programs have been fixed by now, you're wrong. xpdf was caught doing this as late as September 2000.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... enabled,^8.3

The authors of lynx have made support for this URL scheme a compile time option, and it is off by default.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... it.^8.4

Microsoft didn't even know how to spell email at the time.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... space.^8.5

At least with tcsh, the variant shipped with most Linux platforms.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 20,^8.6

The FTP protocol specification says it must.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... difference,^9.1

That's because finger will try to convert any hostname starting with a digit by passing it to the inet_aton function, which is quite liberal about the way you spell IP addresses. If you give it something that looks like a dotted IP address, but doesn't have enough octets, it just assumes the remaining octets are 0. Thus, it treats 0, 0.0, 0.0.0 and 0.0.0.0 equivalently. And on most Unixish operating systems, 0.0.0.0 is just another way of saying localhost.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... list.^9.2

The reason why it has to do it itself is that normally, glob expansion is performed by the shell. But you don't want a shell in your FTP area.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... comparison.^9.3

The syntax for file name globbing lets you specify alternatives between curly braces; for instance, foo{bar,baz} will expand to the two names foobar and foobaz. Just a pair of empty braces will expand to nothing.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... first.^9.4

Many security professionals recommend to use a separate disk for system logs, and to make it BIG. That's sound advice, but again, relying on this means putting the security burden on the sysadmin's shoulders.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... handle.^9.5

As an interesting side note, tools used in these attacks, such as trinoo and stacheldraht, seem to be written by sophisticated programmers. So much for the script kiddie myth.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... them.^9.6

Note the word usually: as with every rule, there are exceptiong, for example if all processes access a common data area via shared memory or memory mapped files. A bug in one process corrupting this common data area of course affects all processes.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... problem.^9.7

The RPC code is a lot more complex, but the problem is the same.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... you.^11.1

The author admits to having omitted return value checks in several of the examples in this tutorial. This was done conciously in order to make the crucial points clearer, rather than sloppiness.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... one,^11.2

Even if the permissions on the binary are 555, the attacker can always change them to 755 and overwrite it then.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... privileged.^11.3

On many systems, only root is permitted to view /etc/shadow; on some there's a special group called shadow which is also allowed.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... passwords.^11.4

Of course, any other command line utility that accepts passwords, such as su, can be abused as a brute force password checker as well. But it's a lot slower than a plain password checker.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... library.^11.5

Not all distributions install this, however.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... files.^11.6

Since most people never read documentation anyway, it's probably not that much of a problem...

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... client.^11.7

Alternatively, it could make the control buffer just large enough to hold the credentials, because they're currently being passed as the first cmsg. That's not guaranteed, and not portable, though.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...jail.^11.8

Recent BSD versions support a jail feature which is something like chroot on steroids.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... area.^11.9

Unfortunately, this doesn't work quite right because many FTP servers such as wu-ftpd secretly keep a root uid around, and root is always able to break out of a chroot jail, as is described subsequently.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... work.^11.10

What's more, they are outright dangerous because they would pick up their account information from files in the chroot area, which cannot be trusted.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... privilege.^11.11

Dropping root privilege without clearing all capability sets did not work until late in the 2.3 development. Hence don't expect this code to work with older kernels.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.