Silvio, Ok, thank you for your explanation. You're doing a very good job for the security team!
Silvio Cesare <[email protected]> wrote: >The idea was to find buffer overflows in privileged programs in Debian that >potentially allow for privilege escalation by a local user. > >I did this by building a list of all suid/sgid programs in Debian packages. >I then tried using http://sharefuzz.sourceforge.net/ against those privleged >executables. This tool attempts to test all the environment variables in a >program by replacing the variables used with suitably long strings (eg, an >8K long string). If the program in question crashes when using these >environment variables, then this might indicate a buffer overflow and may be >potentially exploitable leading to privelege escalation. The way an >attacker would use this would be to gain code execution by crafting the >environment variable before executing the suid program. The malicious code >execution would from an attackers point of view run with the privileges of >the suid/sgid binary. >I did this testing on most of the suid/sgid (ie privileged) programs in >Debian and found 3 programs exited with a SIGSEGV indicating that at a >minimum it was an abnormal exit and quite possibly a buffer overflow. I >reported these crashes to the package maintainers but left it to them to >determine the consequences and exploitability. 2 of the crashes were sgid >games which is quite a low level of increased privilege, but one of the >crashes was suid root. These packages are all non default, so again the >impact of any vulnerability is reduced. > >This kind of testing is good for Debian security and provides some comfort >to me at least knowing this class of vulnerability has been tested for >against the privleged programs in the Debian repository. > >I also started doing this kind of testing against regular packages in >Debian, but I do not think it is relevant to the security list and has much >lesser value in general, even though it would be nice to say that programs >don't crash when we arbitrarily change the environment. > >-- >Silvio Cesare >On Tue, Jan 18, 2011 at 9:50 PM, Kees de Jong <[email protected]> wrote: > >> Sorry Silvio, >> >> >> I don't quite follow your endeavor. Could you enlighten me (us) a bit more? >> Why are you doing this? And what benefit does this information serve us? >> >> >> >> -- >> Kind regards, >> Kees de Jong >> >> * >> * >> *De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is >> uitsluitend bestemd voor de geadresseerde(n). >> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te >> gebruiken en de afzender direct te informeren door het bericht te >> retourneren. >> -- >> The information contained in this message may be confidential and is >> intended to be exclusively for the addressee(s). >> Should you receive this message unintentionally, please do not use the >> contents herein and notify the sender immediately by return e-mail. >> >> >> >> >> >> * >> >> >> On Tue, Jan 18, 2011 at 03:49, Silvio Cesare <[email protected]>wrote: >> >>> I environment variable fuzzed the Debian 5.05 repository consisting of the >>> following binaries: >>> >>> >>> https://github.com/silviocesare/Automated-Audits/blob/master/Debian5.05/EnvironmentVariableFuzzing/05-01-2011/PrivilegedProgramList >>> >>> This is roughly most but not quite all SUID/SGID programs in Debian. There >>> were some package conflicts which meant I didn't get complete automated >>> coverage of the repository. >>> >>> I used the public sharefuzz tool which tries using long environment >>> variables to trigger buffer overflows. I had three crashes and reported bugs >>> for each: >>> >>> toppler http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608979 >>> lbreakout2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608980 >>> zhcon http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608981 >>> >>> Any followup comments should CC me. >>> >>> -- >>> Silvio Cesare >>> >> >> >> >>
