[SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07
Steven M. Christey
coley at linus.mitre.org
Tue Jun 26 17:23:51 EDT 2007
On Tue, 26 Jun 2007, Kenneth Van Wyk wrote:
> Mind you, the overrun can only be exploited when specific characters
> are used as input to the loop in the code. Thus, I'm inclined to
> think that this is an interesting example of a bug that would have
> been extraordinarily difficult to find using black box testing, even
> fuzzing.
I would assume that "smart" fuzzing could have lots of manipulations of
the HH:mm:ss.f format (the intended format mentioned in the advisory), so
this might be findable using black box testing, although I don't know how
many fuzzers actually know how to muck with time strings. Because the
programmer told flawfinder to ignore the strncpy() that it had flagged, it
also shows a limitation of manual testing.
In CVE anyway, I've seen a number of overflows involving strncpy, and
they're not all off-by-one errors. They're hard to enumerate because we
don't usually track which function was used, but here are some:
CVE-2007-2489 - negative length
CVE-2006-4431 - empty input causes crash involving strncpy
CVE-2006-0720 - "incorrect" strncpy call
CVE-2004-0500 - another bad strncpy
CVE-2003-0465 - interesting API interaction
- Steve
More information about the SC-L
mailing list