Concerning possible bugs in the 'inn' package
Russ Allbery
rra at stanford.edu
Fri Sep 2 18:00:06 UTC 2005
Forrest J Cavalier <forrest at mibsoftware.com> writes:
> The problem is that fd0,1,2 (stdin/stdout/stderr) have been treated as
> known entities by all sorts of library and code, and it is impossible to
> know all those platform-specific ways that something could be induced to
> write to stdout/stderr.
> So an exploit works like this: attacker finds a way to influence a
> running program to use fd 0,1,2, then induces some state or condition
> that causes the program to write or use input from stdin/stdout/stderr.
> With the right combinations, you can do some pretty interesting things.
Oh, okay, I think I get it. The problem is if fds 0, 1, or 2 are closed
going into the program, so that other files it opens end up pointing to
those file descriptors. The most likely results would be to get random
crap written or read from the wrong files.
Hm. There's got to be some cleaner way of detecting and correcting for
that than just burning three file descriptors at the beginning of the
program.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-bugs
mailing list