From owner-freebsd-audit Tue Nov 30 21:52:52 1999 Delivered-To: freebsd-audit@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id A0EFA14CE6 for ; Tue, 30 Nov 1999 21:52:44 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id HAA19929; Wed, 1 Dec 1999 07:52:35 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199912010552.HAA19929@gratis.grondar.za> To: tstromberg@rtci.com Cc: freebsd-audit@FreeBSD.ORG Subject: Re: Where to start? Heres a few overflows. Date: Wed, 01 Dec 1999 07:52:34 +0200 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is superb! Where can we get your code/tool? (May we use it?) > About two weeks ago now I did a preliminary scan with a tool I've been > developing (smashwidgets) of the FreeBSD suid applications. This was > done as a precursor to 'certification' at our company of FreeBSD meeting > all of our security requirements (we've got 5 FreeBSD servers in > production right now, so it's in my best interest to see to the > security). > > In any case, I found some problems in rdump/dump/systat. I reported all > three to FreeBSD-security. The first two have been fixed in at least > -CURRENT, not so certain about the third (minor). However, when I saw > the FreeBSD Auditing project announced, I was quite elated at the chance > to give smashwidgets a spin on the entire system to help out. When I > started, I ran into a few speedbumps with crashes in -CURRENT, but I may > have gotten these straightened out thanks to Matthew Dillon. (PV's). > > Please note that most of these have little significance directly. > Unfortunatly, I've been so busy playing with the smashwidgets toolset > that I haven't had time to follow these up for validity or > exploitability. Also, the smashwidgets kit can't be released until I can > get work convinced to release it under a BSD license . > > I've improved it during the course of the tests, for instance I just > added some checks for STDIN overflows (normal, URL format, etc.).. I'll > re-run when I get a chance. The results below are from the first 206 > programs that breakwidgets (part of smashwidgets) was run through. I > think > > BTW, the #'s don't mean minimum, just a # the tester happened to crash > it with. A nice collection of core files are at > http://www.afterthought.org/freebsd/cores/ if your bored. This roughly > means that 10% of tested binaries have easily found overflows. > > program desc > -------------------------------------------------- > *dump overflow when giving it a partition to dump > ex: dump -0 [A*1024] (msg?) > *rdump overflow when giving it a partition to dump > ex: rdump -0 [A*1024] > !dig overflow in many arguments. No errors, but core. > ex: dig -k [A*16000] > !dnsquery overflow in any argument. > ex: dnsquery [A*4000] > !doscmd overflow in any argument. > ex: doscmd [A*4000] > !ee overflow in $NLSPATH. set NLSPATH to [A*32769] > !ed overflow in any argument. > ex: ed [A*40000] > !red overflow in any argument. > ex: ed [A*40000] > !dhclient overflow in any argument. > ex: dhclient [A*40000] > !natd argument overflow.. > ex: natd -w [A*16384] blah > !startslip argument overflow.. > ex: startslip -d [A*8192] -c [A*8192] > !Mail overflow in $HOME, set HOME to [A*32769] > !apply argument overflow.. > ex: apply blah [A*16384] > !mount_mfs argument overflow > ex: mount_mfs [A*8192] [A*8192] > !as argument overflow > ex: as [A*8192] > !awk arg overflow, but only a SIG6. > ex: awk -f [A*8192] > ?banner arg overflow. discussed in -CURRENT. > ex: banner [A*8192] > !captoinfo enviroment overflow, set TERMCAP to [A*32769] > !colldef overflow in -I argument > ex: colldef -I [A*8192] > !crunchgen arg overflow > ex: crunchgen [A*8192] > ?systat possible race condition in systat -n (and other gui > modes). Happens when program is terminated sometimes. > (could be libcurses?). Test script sent to security-officer. > > Trace as follows: > > #0 0x280714c5 in wmove () from /usr/lib/libcurses.so.2 > #1 0x804b916 in free () > #2 0xbfbfdfdc in ?? () > #3 0x2807bc4c in tgetflag () from /usr/lib/libtermcap.so.2 > #4 0x2807130b in setterm () from /usr/lib/libcurses.so.2 > #5 0x28071159 in setterm () from /usr/lib/libcurses.so.2 > #6 0x28070759 in initscr () from /usr/lib/libcurses.so.2 > #7 0x804b529 in free () > #8 0x80499fd in free () > > > * fixed in current > ! not announced to my knowledge > ? may be fixed, but was not when the test was done. > > > > -- > ====================================================================== > thomas r. stromberg smtp://tstromberg@rtci.com > assistant is manager / systems guru http://thomas.stromberg.org > research triangle commerce, inc. finger://thomas@stromberg.org > 'om mani pedme hung' pots://1.919.380.9771:3210 > ================================================================[eof]= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-audit" in the body of the message -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message