More complex cases might result from a vulnerability
in the processing of data contained deep within a remote procedure call (RPC)
parameter that may never reach a vulnerable area on a server unless the data is packaged in
what appears, from all respects, to be a valid RPC request.
Common Problems Leading to Exploitable Conditions
Do not restrict your auditing efforts to searches for calls to functions known to present
problems. A significant number of vulnerabilities exist independently of the presence of
any such calls. Many buffer copy operations are performed in programmer-generated
loops specific to a given application, as the programmers wish to perform their own error
checking or input filtering, or the buffers being copied do not fit neatly into the molds of
some standard API functions. Some of the behaviors that auditors should look for include
??? Does the program make assumptions about the length of user-supplied data?
What happens when the user violates these assumptions?
??? Does the program accept length values from the user? What size data (1, 2, 4
bytes, etc.) does the program use to store these lengths? Does the program use
signed or unsigned values to store these length values? Does the program check
for the possible overflow conditions when utilizing these lengths?
??? Does the program make assumptions about the content/format of usersupplied
data? Does the program attempt to identify the end of various user
fields based on content rather than length of the fields?
??? How does the program handle situations in which the user has provided more
data than the program expects? Does the program truncate the input data and if
so, is the data properly truncated? Some functions that perform string copying
are not guaranteed to properly terminate the copied string in all cases.
Pages:
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517