Date: Thu, 13 Mar 2003 08:56:29 -0600 From: Stephen Hilton <nospam@hiltonbsd.com> To: "Guy P." <guy@device.dyndns.org> Cc: amavis-user@lists.sourceforge.net, freebsd-security@FreeBSD.ORG Subject: Re: [AMaViS-user] ASA-2003-1: Locally Exploitable Buffer Overflow in file Message-ID: <20030313085629.30a015a9.nospam@hiltonbsd.com> In-Reply-To: <5.1.1.6.0.20030313132529.041fdec0@device.dyndns.org> References: <20030312103456.GA8977@nmrc.ie> <20030311171324.GA6731@nmrc.ie> <20030312103456.GA8977@nmrc.ie> <5.1.1.6.0.20030313132529.041fdec0@device.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Mar 2003 14:39:44 +0100 "Guy P." <guy@device.dyndns.org> wrote: > At 19:21 12/03/2003, ian j hart wrote: > [snip the original advisory] > >FreeBSD: > > Guy has posted an alternative patch to freebsd-security > > > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34195+0+current/freebsd-security > > > >It's white-space broken, but otherwise seems okay. > > > >My question is, how do I test it? I'm not going to run something I don't > >understand, so can we get a test script published with an MD5? > > > >-- > >ian j hart > > (Note : CCing to freebsd-security for letting them have the > non-white-space-broken versions of the patches.) > > As i had a few questions about patching file for FreeBSD, lemme try to > explain how i made the patch, tested it and how it can be used. Anybody > feel free to correct me if i did/said something wrong. > > Hopefully the FreeBSD team will soon fix that in the STABLE sources > (CURRENT was already fixed). > > > I made that 'alternative' patch by diffing the official fixed file version > from ftp://ftp.astron.com/pub/file against the current FreeBSD-STABLE > sources and keeping the changes relevant to that security problem. > > > I tried to fix the white space problem and make the patch available as > http://device.dyndns.org/FILE-FREEBSD-STABLE.PATCH , sorry but am not used > to the code writing process under non-windows OSes :] > I also put there, for the paranoid kind, a version that will log what looks > like attempts to exploit that vulnerability, as > http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH > > > I tested it using a "carefully crafted" test file, built with the exploit > released by "Crazy Einstein" (see > http://marc.theaimsgroup.com/?l=bugtraq&m=104696992100353&w=2 ) and > targeting RedHat 8.0 - thus if your FreeBSD is vulnerable, it would only > crash the file command and not open a shell on port 2003 as intended. The > test file is available as http://device.dyndns.org/badfile , i'd suggest > RedHat users not to try it :) > > As requested : > MD5 (FILE-FREEBSD-STABLE-SYSLOG.PATCH) = 57b3b4236051ee1fb2d11978a8fec8b0 > MD5 (FILE-FREEBSD-STABLE.PATCH) = 00360e2a756e09b9c2eb7730d769287a > MD5 (badfile) = 7193a290d03fa6bc446fb36cbef0febe > > > Test & patch process against one of my FreeBSD-STABLE boxes : > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > (TESTING) > bash-2.05b$ cd /tmp > > bash-2.05b$ fetch http://device.dyndns.org/badfile > Receiving badfile (6304 bytes): 100% > 6304 bytes transferred in 0.5 seconds (13.63 kBps) > > bash-2.05b$ file badfile > Segmentation fault (core dumped) > (=> file looks like being vulnerable) > > (PATCHING) > bash-2.05b$ fetch http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH > Receiving FILE-FREEBSD-STABLE-SYSLOG.PATCH (1137 bytes): 100% > 1137 bytes transferred in 0.0 seconds (555.71 kBps) > > bash-2.05b$ cd /usr > > bash-2.05b$ patch -p0 < /tmp/FILE-FREEBSD-STABLE-SYSLOG.PATCH > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |--- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 > |+++ src/contrib/file/readelf.c.patched Thu Mar 13 14:13:12 2003 > -------------------------- > Patching file src/contrib/file/readelf.c using Plan A... > Hunk #1 succeeded at 10. > Hunk #2 succeeded at 102. > Hunk #3 succeeded at 145. > done > > bash-2.05b$ cd src/usr.bin/file > > bash-2.05b$ make > cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE > -DHAVE_CONFIG_H -I/usr/src/usr.bin/file > -I/usr/src/usr.bin/file/../../contrib/file -c > /usr/src/usr.bin/file/../../contrib/file/readelf.c > cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE > -DHAVE_CONFIG_H -I/usr/src/usr.bin/file > -I/usr/src/usr.bin/file/../../contrib/file -o file file.o apprentice.o > fsmagic.o softmagic.o ascmagic.o compress.o is_tar.o readelf.o print-hacked.o > Warning: Object directory not changed from original /usr/src/usr.bin/file > > bash-2.05b$ su > Password: > > su-2.05b# make install > install -s -o root -g wheel -m 555 file /usr/bin > install -o root -g wheel -m 444 magic magic.mgc > /usr/src/usr.bin/file/../../contrib/file/magic.mime magic.mime.mgc > /usr/share/misc > install -o root -g wheel -m 444 file.1.gz /usr/share/man/man1 > install -o root -g wheel -m 444 magic.5.gz /usr/share/man/man5 > > su-2.05b# exit > exit > > (TESTING again) > bash-2.05b$ cd /tmp > > bash-2.05b$ file badfile > badfile: ELF 32-bit LSB relocatable, AT&T WE32100 - invalid byte order, > version 1 (SYSV)file: corrupted section header size. > (=> file no longer seems vulnerable) > > bash-2.05b$ tail -1 /var/log/messages > Mar 13 14:27:25 wwwback file: file command buffer overflow attempt against > user 501/501 ? > (if you used the syslog-able version) > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > Hope this will be helpfull to some of you. Lemme know if anything needs > further talk or whatever. Guy, The patch works for me on: daggar>$ uname -a FreeBSD daggar.mynet.local 4.8-RC FreeBSD 4.8-RC #0: Wed Mar 12 14:11:55 CST 2003 root@daggar.mynet.local:/usr/obj/usr/src/sys/DAGGAR i386 With system standard file installed: daggar>$ file badfile Segmentation fault (core dumped) daggar>$ Now with patch applyed and usr.bin/file rebuilt/installed daggar>$ file badfile badfile: ELF 32-bit LSB relocatable, AT&T WE32100 - invalid byte order, version 1 (SYSV)file: corrupted section header size. daggar>$ Thanks for working on this. Regards, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030313085629.30a015a9.nospam>