From owner-freebsd-audit Wed Dec 1 6:20:45 1999 Delivered-To: freebsd-audit@freebsd.org Received: from barracuda.aquarium.rtci.com (barracuda.aquarium.rtci.com [208.11.247.5]) by hub.freebsd.org (Postfix) with ESMTP id BF3D314E9A for ; Wed, 1 Dec 1999 06:19:37 -0800 (PST) (envelope-from tstromberg@rtci.com) Received: from rtci.com (karma.afterthought.org [208.11.244.6]) by barracuda.aquarium.rtci.com (8.9.3+Sun/8.9.3) with ESMTP id JAA18360; Wed, 1 Dec 1999 09:19:38 -0500 (EST) Message-ID: <38452E6B.C820BD4A@rtci.com> Date: Wed, 01 Dec 1999 09:19:23 -0500 From: Thomas Stromberg Reply-To: tstromberg@rtci.com Organization: Research Triangle Commerce, Inc. X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray , freebsd-audit@freebsd.org Subject: Re: Where to start? Heres a few overflows. (smashwidgets) References: <199912010552.HAA19929@gratis.grondar.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark Murray wrote: > > This is superb! > > Where can we get your code/tool? (May we use it?) Can't get it yet I'm afraid. Once I can finish the base tool, I still need to get approval to release this to the public domain since it was developed through my employment. This shouldn't be a big hurdle. I should be able to post a copy up on a webpage early next week. I'll continue to post results in this list however. I think this type of tool should be in the hands of every OS vendor (with the functionality extended of course). I think it would have made our world a bit nicer of a place :0 . I would have thought Sun Microsystems would have had such a beast, but looking at the kcms_configure $NETPATH overflow released this week, it's evident that no such brute forcing or careful auditing had been done. I still have a few messes to handle: - a proper kill after timeout.. after my alarm() is triggered, some programs hang out in the background (sometimes zombies). Right now I just run killall -9 on the program. This however gets nasty when say, your testing perl. I wish system() would return a pid or something. If I was using threads, I could just kill off the thread (see bottom). This becomes a real 'trick' because some programs change their 'program name' after running in the process list. For instance, I load sendmail as "sendmail -bd -q15m", but /proc/93221/cmdline (and by nature, ps), says "sendmail: accepting connections on port 25@". I wish there was a seperate cmdline & name file :) - analyzewidgets, the program that analyzes a binary for what enviroment variables to test for, does not work so well on say the Solaris base-chain. Right now how I find what enviroment variables to test for is I took all of /usr/src, and the 150 or so ports I make use of, did some grep & regexp magic for whatever they used with *env(), and search the binary for it. I've got 567 env variables to test with, but some of these are application specific. I've got a seperate list of 326 good ones that I actually test against. Things I compile under Solaris with gcc leave the enviroment variables in plain text in the binary, but not say, /usr/openwin/bin/kcms_configure or any of the other base toolset. Whats a nice automated way to find out what enviroment variables are used by a binary? truss was no help here it seems. Maybe some gdb wizardry..? - performance sucks with programs that expect input (for instance, 'enigma'). I've got a 3 second timeout, so rather then 5000-8000 tests a minute, I gather 20 or so. The solution for this would be threading off multiple tests if it's say, under 500 tests/minute. Unfortunatly I have no experience with perl threads, and this functionality isn't a priority for me. -- ====================================================================== thomas r. stromberg smtp://tstromberg@rtci.com assistant is manager / systems guru http://thomas.stromberg.org research triangle commerce, inc. finger://thomas@stromberg.org 'om mani pedme hung' pots://1.919.380.9771:3210 ================================================================[eof]= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message