From owner-freebsd-security Thu Mar 13 5:44: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 075C937B401 for ; Thu, 13 Mar 2003 05:43:57 -0800 (PST) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54BAB43FB1 for ; Thu, 13 Mar 2003 05:43:56 -0800 (PST) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h2DDhbfO025672; Thu, 13 Mar 2003 14:43:41 +0100 (CET) Message-Id: <5.1.1.6.0.20030313132529.041fdec0@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 13 Mar 2003 14:39:44 +0100 To: amavis-user@lists.sourceforge.net From: "Guy P." Subject: Re: [AMaViS-user] ASA-2003-1: Locally Exploitable Buffer Overflow in file Cc: freebsd-security@freebsd.org In-Reply-To: <200303121821.05890.ianjhart@ntlworld.com> References: <20030312103456.GA8977@nmrc.ie> <20030311171324.GA6731@nmrc.ie> <20030312103456.GA8977@nmrc.ie> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavis-milter (http://www.amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 19:21 12/03/2003, ian j hart wrote: [snip the original advisory] >FreeBSD: > Guy has posted an alternative patch to freebsd-security > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34195+0+current/freebsd-security > >It's white-space broken, but otherwise seems okay. > >My question is, how do I test it? I'm not going to run something I don't >understand, so can we get a test script published with an MD5? > >-- >ian j hart (Note : CCing to freebsd-security for letting them have the non-white-space-broken versions of the patches.) As i had a few questions about patching file for FreeBSD, lemme try to explain how i made the patch, tested it and how it can be used. Anybody feel free to correct me if i did/said something wrong. Hopefully the FreeBSD team will soon fix that in the STABLE sources (CURRENT was already fixed). I made that 'alternative' patch by diffing the official fixed file version from ftp://ftp.astron.com/pub/file against the current FreeBSD-STABLE sources and keeping the changes relevant to that security problem. I tried to fix the white space problem and make the patch available as http://device.dyndns.org/FILE-FREEBSD-STABLE.PATCH , sorry but am not used to the code writing process under non-windows OSes :] I also put there, for the paranoid kind, a version that will log what looks like attempts to exploit that vulnerability, as http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH I tested it using a "carefully crafted" test file, built with the exploit released by "Crazy Einstein" (see http://marc.theaimsgroup.com/?l=bugtraq&m=104696992100353&w=2 ) and targeting RedHat 8.0 - thus if your FreeBSD is vulnerable, it would only crash the file command and not open a shell on port 2003 as intended. The test file is available as http://device.dyndns.org/badfile , i'd suggest RedHat users not to try it :) As requested : MD5 (FILE-FREEBSD-STABLE-SYSLOG.PATCH) = 57b3b4236051ee1fb2d11978a8fec8b0 MD5 (FILE-FREEBSD-STABLE.PATCH) = 00360e2a756e09b9c2eb7730d769287a MD5 (badfile) = 7193a290d03fa6bc446fb36cbef0febe Test & patch process against one of my FreeBSD-STABLE boxes : =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= (TESTING) bash-2.05b$ cd /tmp bash-2.05b$ fetch http://device.dyndns.org/badfile Receiving badfile (6304 bytes): 100% 6304 bytes transferred in 0.5 seconds (13.63 kBps) bash-2.05b$ file badfile Segmentation fault (core dumped) (=> file looks like being vulnerable) (PATCHING) bash-2.05b$ fetch http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH Receiving FILE-FREEBSD-STABLE-SYSLOG.PATCH (1137 bytes): 100% 1137 bytes transferred in 0.0 seconds (555.71 kBps) bash-2.05b$ cd /usr bash-2.05b$ patch -p0 < /tmp/FILE-FREEBSD-STABLE-SYSLOG.PATCH Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 |+++ src/contrib/file/readelf.c.patched Thu Mar 13 14:13:12 2003 -------------------------- Patching file src/contrib/file/readelf.c using Plan A... Hunk #1 succeeded at 10. Hunk #2 succeeded at 102. Hunk #3 succeeded at 145. done bash-2.05b$ cd src/usr.bin/file bash-2.05b$ make cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE -DHAVE_CONFIG_H -I/usr/src/usr.bin/file -I/usr/src/usr.bin/file/../../contrib/file -c /usr/src/usr.bin/file/../../contrib/file/readelf.c cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE -DHAVE_CONFIG_H -I/usr/src/usr.bin/file -I/usr/src/usr.bin/file/../../contrib/file -o file file.o apprentice.o fsmagic.o softmagic.o ascmagic.o compress.o is_tar.o readelf.o print-hacked.o Warning: Object directory not changed from original /usr/src/usr.bin/file bash-2.05b$ su Password: su-2.05b# make install install -s -o root -g wheel -m 555 file /usr/bin install -o root -g wheel -m 444 magic magic.mgc /usr/src/usr.bin/file/../../contrib/file/magic.mime magic.mime.mgc /usr/share/misc install -o root -g wheel -m 444 file.1.gz /usr/share/man/man1 install -o root -g wheel -m 444 magic.5.gz /usr/share/man/man5 su-2.05b# exit exit (TESTING again) bash-2.05b$ cd /tmp bash-2.05b$ file badfile badfile: ELF 32-bit LSB relocatable, AT&T WE32100 - invalid byte order, version 1 (SYSV)file: corrupted section header size. (=> file no longer seems vulnerable) bash-2.05b$ tail -1 /var/log/messages Mar 13 14:27:25 wwwback file: file command buffer overflow attempt against user 501/501 ? (if you used the syslog-able version) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Hope this will be helpfull to some of you. Lemme know if anything needs further talk or whatever. -- Guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message