Date: Thu, 13 Mar 2003 14:39:44 +0100 From: "Guy P." <guy@device.dyndns.org> To: amavis-user@lists.sourceforge.net Cc: freebsd-security@freebsd.org Subject: Re: [AMaViS-user] ASA-2003-1: Locally Exploitable Buffer Overflow in file Message-ID: <5.1.1.6.0.20030313132529.041fdec0@device.dyndns.org> In-Reply-To: <200303121821.05890.ianjhart@ntlworld.com> References: <20030312103456.GA8977@nmrc.ie> <20030311171324.GA6731@nmrc.ie> <20030312103456.GA8977@nmrc.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
At 19:21 12/03/2003, ian j hart wrote: [snip the original advisory] >FreeBSD: > Guy has posted an alternative patch to freebsd-security > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34195+0+current/freebsd-security > >It's white-space broken, but otherwise seems okay. > >My question is, how do I test it? I'm not going to run something I don't >understand, so can we get a test script published with an MD5? > >-- >ian j hart (Note : CCing to freebsd-security for letting them have the non-white-space-broken versions of the patches.) As i had a few questions about patching file for FreeBSD, lemme try to explain how i made the patch, tested it and how it can be used. Anybody feel free to correct me if i did/said something wrong. Hopefully the FreeBSD team will soon fix that in the STABLE sources (CURRENT was already fixed). I made that 'alternative' patch by diffing the official fixed file version from ftp://ftp.astron.com/pub/file against the current FreeBSD-STABLE sources and keeping the changes relevant to that security problem. I tried to fix the white space problem and make the patch available as http://device.dyndns.org/FILE-FREEBSD-STABLE.PATCH , sorry but am not used to the code writing process under non-windows OSes :] I also put there, for the paranoid kind, a version that will log what looks like attempts to exploit that vulnerability, as http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH I tested it using a "carefully crafted" test file, built with the exploit released by "Crazy Einstein" (see http://marc.theaimsgroup.com/?l=bugtraq&m=104696992100353&w=2 ) and targeting RedHat 8.0 - thus if your FreeBSD is vulnerable, it would only crash the file command and not open a shell on port 2003 as intended. The test file is available as http://device.dyndns.org/badfile , i'd suggest RedHat users not to try it :) As requested : MD5 (FILE-FREEBSD-STABLE-SYSLOG.PATCH) = 57b3b4236051ee1fb2d11978a8fec8b0 MD5 (FILE-FREEBSD-STABLE.PATCH) = 00360e2a756e09b9c2eb7730d769287a MD5 (badfile) = 7193a290d03fa6bc446fb36cbef0febe Test & patch process against one of my FreeBSD-STABLE boxes : =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= (TESTING) bash-2.05b$ cd /tmp bash-2.05b$ fetch http://device.dyndns.org/badfile Receiving badfile (6304 bytes): 100% 6304 bytes transferred in 0.5 seconds (13.63 kBps) bash-2.05b$ file badfile Segmentation fault (core dumped) (=> file looks like being vulnerable) (PATCHING) bash-2.05b$ fetch http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH Receiving FILE-FREEBSD-STABLE-SYSLOG.PATCH (1137 bytes): 100% 1137 bytes transferred in 0.0 seconds (555.71 kBps) bash-2.05b$ cd /usr bash-2.05b$ patch -p0 < /tmp/FILE-FREEBSD-STABLE-SYSLOG.PATCH Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 |+++ src/contrib/file/readelf.c.patched Thu Mar 13 14:13:12 2003 -------------------------- Patching file src/contrib/file/readelf.c using Plan A... Hunk #1 succeeded at 10. Hunk #2 succeeded at 102. Hunk #3 succeeded at 145. done bash-2.05b$ cd src/usr.bin/file bash-2.05b$ make cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE -DHAVE_CONFIG_H -I/usr/src/usr.bin/file -I/usr/src/usr.bin/file/../../contrib/file -c /usr/src/usr.bin/file/../../contrib/file/readelf.c cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE -DHAVE_CONFIG_H -I/usr/src/usr.bin/file -I/usr/src/usr.bin/file/../../contrib/file -o file file.o apprentice.o fsmagic.o softmagic.o ascmagic.o compress.o is_tar.o readelf.o print-hacked.o Warning: Object directory not changed from original /usr/src/usr.bin/file bash-2.05b$ su Password: su-2.05b# make install install -s -o root -g wheel -m 555 file /usr/bin install -o root -g wheel -m 444 magic magic.mgc /usr/src/usr.bin/file/../../contrib/file/magic.mime magic.mime.mgc /usr/share/misc install -o root -g wheel -m 444 file.1.gz /usr/share/man/man1 install -o root -g wheel -m 444 magic.5.gz /usr/share/man/man5 su-2.05b# exit exit (TESTING again) bash-2.05b$ cd /tmp bash-2.05b$ file badfile badfile: ELF 32-bit LSB relocatable, AT&T WE32100 - invalid byte order, version 1 (SYSV)file: corrupted section header size. (=> file no longer seems vulnerable) bash-2.05b$ tail -1 /var/log/messages Mar 13 14:27:25 wwwback file: file command buffer overflow attempt against user 501/501 ? (if you used the syslog-able version) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Hope this will be helpfull to some of you. Lemme know if anything needs further talk or whatever. -- Guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20030313132529.041fdec0>