Date: Wed, 01 Dec 1999 09:19:23 -0500 From: Thomas Stromberg <tstromberg@rtci.com> To: Mark Murray <mark@grondar.za>, freebsd-audit@freebsd.org Subject: Re: Where to start? Heres a few overflows. (smashwidgets) Message-ID: <38452E6B.C820BD4A@rtci.com> References: <199912010552.HAA19929@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote: > > This is superb! > > Where can we get your code/tool? (May we use it?) Can't get it yet I'm afraid. Once I can finish the base tool, I still need to get approval to release this to the public domain since it was developed through my employment. This shouldn't be a big hurdle. I should be able to post a copy up on a webpage early next week. I'll continue to post results in this list however. I think this type of tool should be in the hands of every OS vendor (with the functionality extended of course). I think it would have made our world a bit nicer of a place :0 <or at least, the overflows tougher to find.. depends on your outlook>. I would have thought Sun Microsystems would have had such a beast, but looking at the kcms_configure $NETPATH overflow released this week, it's evident that no such brute forcing or careful auditing had been done. I still have a few messes to handle: - a proper kill after timeout.. after my alarm() is triggered, some programs hang out in the background (sometimes zombies). Right now I just run killall -9 on the program. This however gets nasty when say, your testing perl. I wish system() would return a pid or something. If I was using threads, I could just kill off the thread (see bottom). This becomes a real 'trick' because some programs change their 'program name' after running in the process list. For instance, I load sendmail as "sendmail -bd -q15m", but /proc/93221/cmdline (and by nature, ps), says "sendmail: accepting connections on port 25@". I wish there was a seperate cmdline & name file :) - analyzewidgets, the program that analyzes a binary for what enviroment variables to test for, does not work so well on say the Solaris base-chain. Right now how I find what enviroment variables to test for is I took all of /usr/src, and the 150 or so ports I make use of, did some grep & regexp magic for whatever they used with *env(), and search the binary for it. I've got 567 env variables to test with, but some of these are application specific. I've got a seperate list of 326 good ones that I actually test against. Things I compile under Solaris with gcc leave the enviroment variables in plain text in the binary, but not say, /usr/openwin/bin/kcms_configure or any of the other base toolset. Whats a nice automated way to find out what enviroment variables are used by a binary? truss was no help here it seems. Maybe some gdb wizardry..? - performance sucks with programs that expect input (for instance, 'enigma'). I've got a 3 second timeout, so rather then 5000-8000 tests a minute, I gather 20 or so. The solution for this would be threading off multiple tests if it's say, under 500 tests/minute. Unfortunatly I have no experience with perl threads, and this functionality isn't a priority for me. -- ====================================================================== thomas r. stromberg smtp://tstromberg@rtci.com assistant is manager / systems guru http://thomas.stromberg.org research triangle commerce, inc. finger://thomas@stromberg.org 'om mani pedme hung' pots://1.919.380.9771:3210 ================================================================[eof]= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38452E6B.C820BD4A>