From owner-freebsd-audit Tue Nov 30 15:14:56 1999 Delivered-To: freebsd-audit@freebsd.org Received: from barracuda.aquarium.rtci.com (barracuda.aquarium.rtci.com [208.11.247.5]) by hub.freebsd.org (Postfix) with ESMTP id B6ED914F31 for ; Tue, 30 Nov 1999 15:14:53 -0800 (PST) (envelope-from tstromberg@rtci.com) Received: from rtci.com (karma.afterthought.org [208.11.244.6]) by barracuda.aquarium.rtci.com (8.9.3+Sun/8.9.3) with ESMTP id SAA08985 for ; Tue, 30 Nov 1999 18:15:01 -0500 (EST) Message-ID: <38445A6A.50245AF5@rtci.com> Date: Tue, 30 Nov 1999 18:14:50 -0500 From: Thomas Stromberg Reply-To: tstromberg@rtci.com Organization: Research Triangle Commerce, Inc. X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-audit@freebsd.org Subject: Where to start? Heres a few overflows. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG About two weeks ago now I did a preliminary scan with a tool I've been developing (smashwidgets) of the FreeBSD suid applications. This was done as a precursor to 'certification' at our company of FreeBSD meeting all of our security requirements (we've got 5 FreeBSD servers in production right now, so it's in my best interest to see to the security). In any case, I found some problems in rdump/dump/systat. I reported all three to FreeBSD-security. The first two have been fixed in at least -CURRENT, not so certain about the third (minor). However, when I saw the FreeBSD Auditing project announced, I was quite elated at the chance to give smashwidgets a spin on the entire system to help out. When I started, I ran into a few speedbumps with crashes in -CURRENT, but I may have gotten these straightened out thanks to Matthew Dillon. (PV's). Please note that most of these have little significance directly. Unfortunatly, I've been so busy playing with the smashwidgets toolset that I haven't had time to follow these up for validity or exploitability. Also, the smashwidgets kit can't be released until I can get work convinced to release it under a BSD license . I've improved it during the course of the tests, for instance I just added some checks for STDIN overflows (normal, URL format, etc.).. I'll re-run when I get a chance. The results below are from the first 206 programs that breakwidgets (part of smashwidgets) was run through. I think BTW, the #'s don't mean minimum, just a # the tester happened to crash it with. A nice collection of core files are at http://www.afterthought.org/freebsd/cores/ if your bored. This roughly means that 10% of tested binaries have easily found overflows. program desc -------------------------------------------------- *dump overflow when giving it a partition to dump ex: dump -0 [A*1024] (msg?) *rdump overflow when giving it a partition to dump ex: rdump -0 [A*1024] !dig overflow in many arguments. No errors, but core. ex: dig -k [A*16000] !dnsquery overflow in any argument. ex: dnsquery [A*4000] !doscmd overflow in any argument. ex: doscmd [A*4000] !ee overflow in $NLSPATH. set NLSPATH to [A*32769] !ed overflow in any argument. ex: ed [A*40000] !red overflow in any argument. ex: ed [A*40000] !dhclient overflow in any argument. ex: dhclient [A*40000] !natd argument overflow.. ex: natd -w [A*16384] blah !startslip argument overflow.. ex: startslip -d [A*8192] -c [A*8192] !Mail overflow in $HOME, set HOME to [A*32769] !apply argument overflow.. ex: apply blah [A*16384] !mount_mfs argument overflow ex: mount_mfs [A*8192] [A*8192] !as argument overflow ex: as [A*8192] !awk arg overflow, but only a SIG6. ex: awk -f [A*8192] ?banner arg overflow. discussed in -CURRENT. ex: banner [A*8192] !captoinfo enviroment overflow, set TERMCAP to [A*32769] !colldef overflow in -I argument ex: colldef -I [A*8192] !crunchgen arg overflow ex: crunchgen [A*8192] ?systat possible race condition in systat -n (and other gui modes). Happens when program is terminated sometimes. (could be libcurses?). Test script sent to security-officer. Trace as follows: #0 0x280714c5 in wmove () from /usr/lib/libcurses.so.2 #1 0x804b916 in free () #2 0xbfbfdfdc in ?? () #3 0x2807bc4c in tgetflag () from /usr/lib/libtermcap.so.2 #4 0x2807130b in setterm () from /usr/lib/libcurses.so.2 #5 0x28071159 in setterm () from /usr/lib/libcurses.so.2 #6 0x28070759 in initscr () from /usr/lib/libcurses.so.2 #7 0x804b529 in free () #8 0x80499fd in free () * fixed in current ! not announced to my knowledge ? may be fixed, but was not when the test was done. -- ====================================================================== thomas r. stromberg smtp://tstromberg@rtci.com assistant is manager / systems guru http://thomas.stromberg.org research triangle commerce, inc. finger://thomas@stromberg.org 'om mani pedme hung' pots://1.919.380.9771:3210 ================================================================[eof]= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message