Last Updated: 2014-10-30 02:38:37 UTC
by Rob VandenBrink (Version: 1)
Recently we seem to have a theme of new bugs in old code - first (and very publically) openssl and bash. This past week we've had a bunch more, less public but still neat bugs.
First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) - http://cxsecurity.com/issue/WLB-2014100174
These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit - we all use these every day.
Who knew? Coders who wrote stuff in C back in the day didn't always write code that knew how much was too much of a good thing. Now that we're all looking at problems with bounds checking on input data, expect to see at least a couple more of these!
If you have more information or corrections regarding our diary, please share.