The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman

[Chris Angelico]

On Tue, Aug 23, 2016 at 2:08 AM, Marko Rauhamaa <marko at pacujo.net> wrote:
> Random832 <random832 at fastmail.com>:
>
>> On Mon, Aug 22, 2016, at 11:40, Chris Angelico wrote:
>>> Windows has some other issues, including that arbitrary files can
>>> become executable very easily (eg if %PATHEXT% includes its file
>>> extension), and since the current directory is always at the
>>> beginning of your path, this can easily turn into a remote code
>>> execution exploit.
>>
>> I didn't include dot in my example whitelist, and there's no mechanism
>> for an attacker to add random extensions to your PATHEXT.
>
> Years back, my FTP server was hacked by exploiting a buffer overflow.
> The anonymous input directory contained a very long filename that
> apparently contained some valid x86 code.
>
> Did you vet your whitelist so it couldn't possibly be interpreted by the
> CPU as meaningful instructions?

Step 1: Don't have buffers.
Step 2: Profit!

Anyone who's using fixed-sized buffers for application-level code
deserves to be exploited. A program designed to be accessed via the
internet is never (well, hardly ever) going to need so much
performance that it can't afford to be written in a high level
language - it's going to spend most of its time waiting for the
network. The rare exceptions (*maybe* DNS, but even there, I'd be
quite happy to replace my DNS server with one written in Pike, if
BIND9 ever becomes a major threat vector) should be monitored closely
- preferably statically checked with something like Coverity - because
they're remotely-accessible and thus a major risk.

ChrisA