Index: src/main/resources/rats.xml
===================================================================
--- src/main/resources/rats.xml (revision 3438)
+++ src/main/resources/rats.xml (working copy)
@@ -161,6 +161,33 @@
config/memcpy
+
+ fixed size global buffer
+ fixed size global buffer
+ Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks.
+
+ CRITICAL
+ config/fixed size global buffer
+
+
+
+ fixed size local buffer
+ fixed size local buffer
+ A potential race condition vulnerability exists here. Normally a call to this function is vulnerable only when a match check precedes it. No check was detected, however one could still exist that could not be detected.
+
+ CRITICAL
+ config/fixed size local buffer
+
+
+
+ strncpy
+ strncpy
+ Double check that your buffer is as big as you specify. When using functions that accept a number n of bytes to copy, such as strncpy, be aware that if the dest buffer size = n it may not NULL-terminate the string. Also, consider using strlcpy() instead, if it is avaialable to you.
+
+ CRITICAL
+ config/strncpy
+
+
chroot
chroot
@@ -475,7 +502,7 @@
_tcscat
- ètcscat
+ _tcscat
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle. Additionally, the format
@@ -562,6 +589,18 @@
+ lstrcpyn
+ lstrcpyn
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/lstrcpyn
+
+
+
StrCpyN
StrCpyN
Double check that your buffer is as big as you specify.
@@ -2246,10 +2285,640 @@
config/realpath
+
+ syslog
+ syslog
+ Truncate all input strings to a reasonable length
+before passing them to this function.
+
+ MAJOR
+ config/syslog
+
+
+
+ getopt
+ getopt
+ Truncate all input strings to a reasonable length
+before passing them to this function.
+
+ MAJOR
+ config/getopt
+
+
+
+ getopt_long
+ getopt_long
+ Truncate all input strings to a reasonable length
+before passing them to this function.
+
+ MAJOR
+ config/getopt_long
+
+
+
+ getpass
+ getpass
+ Truncate all input strings to a reasonable length
+before passing them to this function.
+
+ MAJOR
+ config/getpass
+
+
+
+ getchar
+ getchar
+ Check buffer boundaries if calling this function in a loop
+and make sure you are not in danger of writing past the allocated space.
+
+ MAJOR
+ config/getchar
+
+
+
+ fgetc
+ fgetc
+ Check buffer boundaries if calling this function in a loop
+and make sure you are not in danger of writing past the allocated space.
+
+ MAJOR
+ config/fgetc
+
+
+
+ getc
+ getc
+ Check buffer boundaries if calling this function in a loop
+and make sure you are not in danger of writing past the allocated space.
+
+ MAJOR
+ config/getc
+
+
+
+ read
+ read
+ Check buffer boundaries if calling this function in a loop
+and make sure you are not in danger of writing past the allocated space.
+
+ MAJOR
+ config/read
+
+
+
+ bcopy
+ bcopy
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MAJOR
+ config/bcopy
+
+
+
+ fgets
+ fgets
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/fgets
+
+
+
+ cin
+ cin
+ cin is unsafe. No bounds checking is performed. Buffer is easily
+ overflowable by user.
+
+ CRITICAL
+ config/cin
+
+
+
+ memcpy
+ memcpy
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MAJOR
+ config/memcpy
+
+
+
+ snprintf
+ snprintf
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/snprintf
+
+
+
+ strccpy
+ strccpy
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/strccpy
+
+
+
+ strcadd
+ strcadd
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/strcadd
+
+
+
+ strncpy
+ strncpy
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.Also, consider using strlcpy() instead, if it is avaialable to you.
+
+ MINOR
+ config/strncpy
+
+
+
+ _vsnprintf
+ _vsnprintf
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/_vsnprintf
+
+
+
+ tmpfile
+ tmpfile
+ Many calls for generating temporary file names are
+insecure (susceptible to race conditions). Use a securely generated file
+name, for example, by pulling 64 bits of randomness from /dev/random, base
+64 encoding it and using that as a file suffix.
+
+ MAJOR
+ config/tmpfile
+
+
+
+ tmpnam
+ tmpnam
+ Many calls for generating temporary file names are
+insecure (susceptible to race conditions). Use a securely generated file
+name, for example, by pulling 64 bits of randomness from /dev/random, base
+64 encoding it and using that as a file suffix.
+
+ MAJOR
+ config/tmpnam
+
+
+
+ tempnam
+ tempnam
+ Many calls for generating temporary file names are
+insecure (susceptible to race conditions). Use a securely generated file
+name, for example, by pulling 64 bits of randomness from /dev/random, base
+64 encoding it and using that as a file suffix.
+
+ MAJOR
+ config/tempnam
+
+
+
+ getlogin
+ getlogin
+ The results of this call are easy to forge.
+
+ MAJOR
+ config/getlogin
+
+
+
+ cuserid
+ cuserid
+ This may be forgable. Whether it is or not, even the man page recommends against using this.
+
+ MAJOR
+ config/cuserid
+
+
+
+ ttyname
+ ttyname
+ The results are easy for an attacker to forge, and not reliable.
+
+ MAJOR
+ config/ttyname
+
+
+
+ signal
+ signal
+ When setting signal handlers, do not use the same function
+ to handle multiple signals. There exists the possibility a race condition
+ will result if 2 or more different signals are sent to the process at nearly
+ the same time. Also, when writing signal handlers, it is best to do as little
+ as possible in them. The best strategy is to use the signal handler to set a
+ flag, that another part of the program tests and performs the appropriate
+ action(s) when it is set.
+
+ MAJOR
+ config/signal
+
+
+
+ gethostbyname
+ gethostbyname
+ WDNS results can easily be forged by an attacker (or
+arbitrarily set to large values, etc), and should not be trusted.
+
+ CRITICAL
+ config/gethostbyname
+
+
+
+ gethostbyaddr
+ gethostbyaddr
+ WDNS results can easily be forged by an attacker (or
+arbitrarily set to large values, etc), and should not be trusted.
+
+ CRITICAL
+ config/gethostbyaddr
+
+
+
+ realloc
+ realloc
+ Don't use on memory intended to be secure, because the old
+ structure will not be zeroed out.
+
+ MAJOR
+ config/realloc
+
+
+
+ fork
+ fork
+ Remember that sensitive data get copied on fork. For
+ example, a random number generator's internal state will get duplicated, and the
+ child may start outputting identical number streams.
+
+ MINOR
+ config/fork
+
+
+ vfork
+ vfork
+ Some implementations may be broken. Additionally,
+ Remember that sensitive data get copied on fork. For example, a random
+ number generator's internal state will get duplicated, and the child
+ may start outputting identical number streams. Use fork() instead.
+
+ MAJOR
+ config/vfork
+
+
+ _mbsnbcpy
+ _mbsnbcpy
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/_mbsnbcpy
+
+
+ CopyMemory
+ CopyMemory
+ Double check that your buffer is as big as you specify.
+When using functions that accept a number n of bytes to copy, such as
+strncpy, be aware that if the dest buffer size = n it may not NULL-terminate
+the string.
+
+ MINOR
+ config/CopyMemory
+
+
+ strlen
+ strlen
+ This function does not properly handle non-NULL terminated
+strings. This does not result in exploitable code, but can lead to access
+violations.
+
+ MINOR
+ config/strlen
+
+
+ _tcslen
+ _tcslen
+ This function does not properly handle non-NULL terminated
+strings. This does not result in exploitable code, but can lead to access
+violations.
+
+ MINOR
+ config/_tcslen
+
+
+
+ _mbslen
+ _mbslen
+ This function does not properly handle non-NULL terminated
+strings. This does not result in exploitable code, but can lead to access
+violations.
+
+ MINOR
+ config/_mbslen
+
+
+
+ wcslen
+ wcslen
+ This function does not properly handle non-NULL terminated
+strings. This does not result in exploitable code, but can lead to access
+violations.
+
+ MINOR
+ config/wcslen
+
+
+
+ CreateProcess
+ CreateProcess
+ Many program execution commands under Windows will search
+the path for a program if you do not explicitly specify a full path to the
+file. This can allow trojans to be executed instead. Also, be sure to
+specify a file extension, since otherwise multiple extensions will be tried
+by the operating system, providing another opportunity for trojans.
+
+ CRITICAL
+ config/CreateProcess
+
+
+
+ CreateProcessAsUser
+ CreateProcessAsUser
+ Many program execution commands under Windows will search
+the path for a program if you do not explicitly specify a full path to the
+file. This can allow trojans to be executed instead. Also, be sure to
+specify a file extension, since otherwise multiple extensions will be tried
+by the operating system, providing another opportunity for trojans.
+
+ CRITICAL
+ config/CreateProcessAsUser
+
+
+
+ CreateProcessWithLogon
+ CreateProcessWithLogon
+ Many program execution commands under Windows will search
+the path for a program if you do not explicitly specify a full path to the
+file. This can allow trojans to be executed instead. Also, be sure to
+specify a file extension, since otherwise multiple extensions will be tried
+by the operating system, providing another opportunity for trojans.
+
+ CRITICAL
+ config/CreateProcessWithLogon
+
+
+
+ WinExec
+ WinExec
+ Many program execution commands under Windows will search
+the path for a program if you do not explicitly specify a full path to the
+file. This can allow trojans to be executed instead. Also, be sure to
+specify a file extension, since otherwise multiple extensions will be tried
+by the operating system, providing another opportunity for trojans.
+
+ CRITICAL
+ config/WinExec
+
+
+
+ RpcImpersonateClient
+ RpcImpersonateClient
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/RpcImpersonateClient
+
+
+
+ ImpersonateLoggedOnUser
+ ImpersonateLoggedOnUser
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/ImpersonateLoggedOnUser
+
+
+
+ CoImpersonateClient
+ CoImpersonateClient
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/CoImpersonateClient
+
+
+
+ ImpersonateNamedPipeClient
+ ImpersonateNamedPipeClient
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/ImpersonateNamedPipeClient
+
+
+
+ ImpersonateDdeClientWindow
+ ImpersonateDdeClientWindow
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/ImpersonateDdeClientWindow
+
+
+
+ ImpersonateSecurityContext
+ ImpersonateSecurityContext
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/ImpersonateSecurityContext
+
+
+
+ QuerySecurityContextToken
+ QuerySecurityContextToken
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/QuerySecurityContextToken
+
+
+
+ SetThreadToken
+ SetThreadToken
+ Impersonation functions return error codes when they
+fail. These error codes must be checked otherwise code could be run with
+extra privileges when an impersonation has failed.
+
+ MAJOR
+ config/SetThreadToken
+
+
+
+ SetSecurityDescriptorDacl
+ SetSecurityDescriptorDacl
+ If the third argument, pDacl, is NULL there is no
+ protection from attack. As an example, an attacker could set a Deny
+ All to Everyone ACE on such an object.
+
+ MAJOR
+ config/SetSecurityDescriptorDacl
+
+
+
+ AfxLoadLibrary
+ AfxLoadLibrary
+ LoadLibrary will search several places for a library if
+no path is specified, allowing trojan DLL's to be inserted elsewhere even
+if the intended DLL is correctly protected from overwriting. Make sure to
+ specify the full path.
+
+ CRITICAL
+ config/AfxLoadLibrary
+
+
+
+ LoadLibraryEx
+ LoadLibraryEx
+ LoadLibrary will search several places for a library if
+no path is specified, allowing trojan DLL's to be inserted elsewhere even
+if the intended DLL is correctly protected from overwriting. Make sure to
+ specify the full path.
+
+ CRITICAL
+ config/LoadLibraryEx
+
+
+
+ InitializeCriticalSection
+ InitializeCriticalSection
+ This function can throw exceptions in low memory
+conditions. Use InitialCriticalSectionAndSpinCount instead.
+
+ MINOR
+ config/InitializeCriticalSection
+
+
+
+ EnterCriticalSection
+ EnterCriticalSection
+ This function can throw exceptions in low memory
+conditions. Use InitialCriticalSectionAndSpinCount instead.
+
+ CRITICAL
+ config/EnterCriticalSection
+
+
+
+ catgets
+ catgets
+ Environment variables are highly untrustable input.
+ They may be of any length, and contain any data. Do not make any assumptions
+ regarding content or length. If at all possible avoid using them, and if it
+ is necessary, sanitize them and truncate them to a reasonable length.
+ catgets() can utilize the NLSPATH environment variable.
+
+ CRITICAL
+ config/catgets
+
+
+
+ gettext
+ gettext
+ Environment variables are highly untrustable input.
+ They may be of any length, and contain any data. Do not make any assumptions
+ regarding content or length. If at all possible avoid using them, and if it
+ is necessary, sanitize them and truncate them to a reasonable length.
+ catgets() can utilize the NLSPATH environment variable.
+
+ CRITICAL
+ config/gettext
+
+
+
+ strncat
+ strncat
+ Consider using strlcat() instead.
+
+ CRITICAL
+ config/strncat
+
+
+
+ umask
+ umask
+ umask() can easily be used to create files with unsafe priviledges.
+ It should be set to restrictive values.
+
+ CRITICAL
+ config/umask
+
+
+
+ AddAccessAllowedAce
+ AddAccessAllowedAce
+ This function does not set the inheritance bits in the Access
+ Controle Entry, making it vulnerable.
+
+ CRITICAL
+ config/AddAccessAllowedAce
+
+
Index: src/main/resources/rats-profile.xml
===================================================================
--- src/main/resources/rats-profile.xml (revision 3438)
+++ src/main/resources/rats-profile.xml (working copy)
@@ -73,7 +73,19 @@
c++
memcpy
-
+
+
+ c++
+ fixed size global buffer
+
+
+ c++
+ fixed size local buffer
+
+
+ c++
+ strncpy
+
c++
chroot
@@ -208,6 +220,10 @@
c++
+ lstrcpyn
+
+
+ c++
StrCpyN
@@ -741,15 +757,230 @@
c++
realpath
+
+
+ c++
+ syslog
+
+
+ c++
+ getopt
+
+
+ c++
+ getopt_long
+
+
+ c++
+ getpass
+
+
+ c++
+ getchar
+
+
+ c++
+ getc
+
+
+ c++
+ read
+
+
+ c++
+ bcopy
+
+
+ c++
+ fgets
+
+
+ c++
+ cin
+
+
+ c++
+ memcpy
+
+
+ c++
+ snprintf
+
+
+ c++
+ strccpy
+
+
+ c++
+ strcadd
+
+
+ c++
+ strncpy
+
+
+ c++
+ _vsnprintf
+
+
+ c++
+ tmpfile
+
+
+ c++
+ tmpnam
+
+
+ c++
+ tempnam
+
+
+ c++
+ getlogin
+
+
+ c++
+ cuserid
+
+
+ c++
+ ttyname
+
+
+ c++
+ signal
+
+
+ c++
+ gethostbyname
+
+
+ c++
+ gethostbyaddr
+
+
+ c++
+ realloc
+
+
+ c++
+ fork
+
+
+ c++
+ vfork
+
+
+ c++
+ _mbsnbcpy
+
+
+ c++
+ CopyMemory
+
+
+ c++
+ strlen
+
+
+ c++
+ _tcslen
+
+
+ c++
+ _mbslen
+
+
+ c++
+ wcslen
+
+
+ c++
+ CreateProcess
+
+
+ c++
+ CreateProcessAsUser
+
+
+ c++
+ CreateProcessWithLogon
+
+
+ c++
+ WinExec
+
+
+ c++
+ RpcImpersonateClient
+
+
+ c++
+ ImpersonateLoggedOnUser
-
-
-
-
-
-
-
-
-
+
+ c++
+ CoImpersonateClient
+
+
+ c++
+ ImpersonateNamedPipeClient
+
+
+ c++
+ ImpersonateDdeClientWindow
+
+
+ c++
+ ImpersonateSecurityContext
+
+
+ c++
+ QuerySecurityContextToken
+
+
+ c++
+ SetThreadToken
+
+
+ c++
+ SetSecurityDescriptorDacl
+
+
+ c++
+ AfxLoadLibrary
+
+
+ c++
+ LoadLibraryEx
+
+
+ c++
+ InitializeCriticalSection
+
+
+ c++
+ EnterCriticalSection
+
+
+ c++
+ catgets
+
+
+ c++
+ gettext
+
+
+ c++
+ strncat
+
+
+ c++
+ umask
+
+
+ c++
+ AddAccessAllowedAce
+
\ No newline at end of file