Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Nov 1999 18:14:50 -0500
From:      Thomas Stromberg <tstromberg@rtci.com>
To:        freebsd-audit@freebsd.org
Subject:   Where to start? Heres a few overflows.
Message-ID:  <38445A6A.50245AF5@rtci.com>

next in thread | raw e-mail | index | archive | help
About two weeks ago now I did a preliminary scan with a tool I've been
developing (smashwidgets) of the FreeBSD suid applications. This was
done as a precursor to 'certification' at our company of FreeBSD meeting
all of our security requirements (we've got 5 FreeBSD servers in
production right now, so it's in my best interest to see to the
security). 

In any case, I found some problems in rdump/dump/systat. I reported all
three to FreeBSD-security. The first two have been fixed in at least
-CURRENT, not so certain about the third (minor). However, when I saw
the FreeBSD Auditing project announced, I was quite elated at the chance
to give smashwidgets a spin on the entire system to help out. When I
started, I ran into a few speedbumps with crashes in -CURRENT, but I may
have gotten these straightened out thanks to Matthew Dillon. (PV's).

Please note that most of these have little significance directly.
Unfortunatly, I've been so busy playing with the smashwidgets toolset
that I haven't had time to follow these up for validity or
exploitability. Also, the smashwidgets kit can't be released until I can
get work convinced to release it under a BSD license <sigh>. 

I've improved it during the course of the tests, for instance I just
added some checks for STDIN overflows (normal, URL format, etc.).. I'll
re-run when I get a chance. The results below are from the first 206
programs that breakwidgets (part of smashwidgets) was run through. I
think 

BTW, the #'s don't mean minimum, just a # the tester happened to crash
it with. A nice collection of core files are at
http://www.afterthought.org/freebsd/cores/ if your bored. This roughly
means that 10% of tested binaries have easily found overflows.

program    desc
--------------------------------------------------
*dump	   overflow when giving it a partition to dump
	   ex: dump -0 [A*1024]	(msg?)
*rdump	   overflow when giving it a partition to dump
	   ex: rdump -0 [A*1024]
!dig	   overflow in many arguments. No errors, but core.
	   ex: dig -k [A*16000]
!dnsquery  overflow in any argument.
           ex: dnsquery [A*4000]
!doscmd    overflow in any argument.
           ex: doscmd [A*4000]
!ee        overflow in $NLSPATH. set NLSPATH to [A*32769]
!ed        overflow in any argument.
           ex: ed [A*40000]
!red       overflow in any argument.
           ex: ed [A*40000]
!dhclient  overflow in any argument.
           ex: dhclient [A*40000]
!natd      argument overflow.. 
           ex: natd -w [A*16384] blah
!startslip argument overflow..
           ex: startslip -d [A*8192] -c [A*8192]
!Mail      overflow in $HOME, set HOME to [A*32769]
!apply     argument overflow..
           ex: apply blah [A*16384]
!mount_mfs argument overflow
           ex: mount_mfs [A*8192] [A*8192]
!as        argument overflow
           ex: as [A*8192]
!awk       arg overflow, but only a SIG6.
           ex: awk -f [A*8192]
?banner    arg overflow. discussed in -CURRENT.
           ex: banner [A*8192]
!captoinfo enviroment overflow, set TERMCAP to [A*32769]
!colldef   overflow in -I argument
           ex: colldef -I [A*8192]
!crunchgen arg overflow
           ex: crunchgen [A*8192]
?systat    possible race condition in systat -n (and other gui
           modes). Happens when program is terminated sometimes.
           (could be libcurses?). Test script sent to security-officer.

           Trace as follows:

#0  0x280714c5 in wmove () from /usr/lib/libcurses.so.2
#1  0x804b916 in free ()
#2  0xbfbfdfdc in ?? ()
#3  0x2807bc4c in tgetflag () from /usr/lib/libtermcap.so.2
#4  0x2807130b in setterm () from /usr/lib/libcurses.so.2
#5  0x28071159 in setterm () from /usr/lib/libcurses.so.2
#6  0x28070759 in initscr () from /usr/lib/libcurses.so.2
#7  0x804b529 in free ()
#8  0x80499fd in free ()


* fixed in current
! not announced to my knowledge
? may be fixed, but was not when the test was done.



-- 
======================================================================
thomas r. stromberg                     smtp://tstromberg@rtci.com
assistant is manager / systems guru     http://thomas.stromberg.org
research triangle commerce, inc.        finger://thomas@stromberg.org
'om mani pedme hung'                    pots://1.919.380.9771:3210
================================================================[eof]=


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38445A6A.50245AF5>