Linked by Eugenia Loli on Thu 16th Sep 2004 20:35 UTC
QNX Adding to the vunerabilities found a few days ago, more have been discovered and posted. These additional potential exploits were discovered by the same person who found the first one posted.
Order by: Score:
SOT: How do they find these?
by UglyKidBill on Thu 16th Sep 2004 21:49 UTC

This question is slightly off topic, but I always wonder how does people find this kind of security holes?

They surely know how to do it, but do they just sit down and start doing every trick they know and see what happens?

TIA

RE: SOT
by Anonymous on Fri 17th Sep 2004 04:14 UTC

It depends. If the source is available you can simply do an audit, grepping through for various unsafe stdlib function calls, look for places where malloc return values aren't checked, etc.

If it's closed-source binary, well you just have to pound on the software until you find places where it break (eg, when it asks for input data, feed it insanely large malformed strings, cause allocations to randomly fail, screw around with it's memory space, etc).

RE: SOT
by Anonymous on Fri 17th Sep 2004 06:46 UTC

> It depends. If the source is available you can simply do an audit, grepping through for various unsafe stdlib function calls, look for places where malloc return values aren't checked, etc.

> If it's closed-source binary, well you just have to pound on the software until you find places where it break (eg, when it asks for input data, feed it insanely large malformed strings, cause allocations to randomly fail, screw around with it's memory space, etc).

... sort of. There are also automated source-code auditing tools. Disassemblers appear to be used in finding closed-source binary holes [and don't forget debuggers and their ilk; it's trivial to monitor system calls, with or without source.] Your methods should work, but they seem likely to miss all but the most obvious holes.

Disclaimer: I'm not a security auditor.

testing
by Nice on Fri 17th Sep 2004 07:41 UTC

remember black box vs white box testing at college?

is a binary of an application a black box or a white box? ...

It is time
by Anonymous on Fri 17th Sep 2004 10:47 UTC

It is time to migrate to Solaris which is best secure os in the world!

It's 6.1
by Anonymous on Fri 17th Sep 2004 14:35 UTC

It should be noted that these are all under 6.1, quite an old version, I know for a fact that at least one of these does not exist in the current version 6.3 (The -s buffer overflow from libAp, I think it was fixed in 6.2 actually).

v die
by fuck you on Fri 17th Sep 2004 16:23 UTC
proper auditing
by UglyKidBill on Fri 17th Sep 2004 18:29 UTC

Hi,
thanks for your comments.
So, would it be fair to say that if a widespread and critical piece of software is found to have a lot of these holes, it means there weren't proper audits or quality tests done to it?

TIA