Re: CF: server security

To: crossfire@ifi.uio.no
Subject: Re: CF: server security
From: "Mark Wedel" <mark@icp.siemens.com>
Date: Mon, 25 Jan 1999 19:48:33 -0800
In-Reply-To: "Mark Wedel" <mark@icp.siemens.com> "Re: CF: server security" (Jan 25, 5:16pm)
References: <14109186@vixen.Dartmouth.EDU> <9901251716.ZM11186@stealth.eng.pyramid.com>
Sender: owner-crossfire@ifi.uio.no

On Jan 25,  5:16pm, Mark Wedel wrote:
> Subject: Re: CF: server security
> On Jan 25,  7:44pm, Preston F. Crow wrote:
> > Subject: CF: server security
> > I'm concerned about all these buffer overflow crashes in the server.  How
> many
> > of them could be exploited to gain a shell on the server machine?
>
>  Presumably, they hold the same dangers as any buffer overrun problem for
other
> programs.  Hopefully, you aren't running crossfire as a root or other
> priveledged user so that if access was so gained, it wouldn't be as major.
>

 Upon thinking about this further, the buffer overrun problems probably don't
open up as many security holes as other programs.

 This is because most of the recent buffer overrun problems are using server
supplied data to do so (instead of data the hacker is providing).  This makes
things much more difficult or next to impossible, as the hacker would have to
try to set up the objects/other data in a way that would gain access.  While
theoretically possible, I would say this is very hard at current time (how can
you predict the value certain pointers are referring to and so on?)

 Things are even a little harder than just that because in addition to actually
spawning a shell, the file descriptors are not likely to do any good - the
shell by defaults will use 0 for input, and 1 and 2 for output.  These
descriptors are likely to be tied to stuff other than the socket the player is
on (at least 1 descriptor is used for the socket.)  So in addition to having to
get code to launch a shell, they also need to be able to get the code in there
to copy the descriptors they are currently playing on into the descriptors the
shells want.

 So the biggest danger would be any overruns that the user supplies the data
on.  However, I beleive the socket code is currently pretty good on buffering
data it reads from the client.

-- 

-- Mark Wedel
mark@pyramid.com
-
[you can put yourself on the announcement list only or unsubscribe altogether
by sending an email stating your wishes to crossfire-request@ifi.uio.no]

References:
- CF: server security
  - From: Preston.F.Crow@Dartmouth.EDU (Preston F. Crow)
- Re: CF: server security
  - From: "Mark Wedel" <mark@icp.siemens.com>

Prev by Date: Re: CF: client inventory bugs
Next by Date: Re: CF: server security
Prev by thread: Re: CF: server security
Next by thread: CF: client inventory bugs
Index(es):
- Date
- Thread