Date: Fri, 7 Jul 2000 14:47:13 -0400 From: Alan DeKok <aland@STRIKER.OTTAWA.ON.CA> Subject: ANNOUNCE: PScan, a simple security scanner. To: BUGTRAQ@SECURITYFOCUS.COM [ This should probably wait until Monday to be released ... ] I've written a simple GPL'd security scanner for the classic problems of printf-style functions, where a variable contains formatting characters. e.g.: variable = "%s"; /* or malicious user input */ sprintf(buffer, variable); /* BAD! */ The preferred solution would be to call sprintf in the following manner: sprintf(buffer, "%s", variable); /* Probably OK */ That's really all it does. But it does allow for user supplied per-application configuration files for problematic functions. The URL is: http://www.striker.ottawa.on.ca/~aland/pscan/ I've taken the liberty of scanning the latest wu-ftpd source, and posting the results on the web page. I've checked the result, and didn't see any obviously exploitable holes, but the wu-ftpd people may want to double-check that themselves. I took some care to minimize the number of false positives that the program produces, and to make the output and documentation clear. That should help to make it a useful program, which can be one more step in securing your programs. Alan DeKok.