Simple Bugs and Vulnerabilities in Linux Distributions

Silvio Cesare <silvio.cesare@gmail.com> Deakin University

PhD student at Deakin University
Malware detection
Software theft detection
Automated vulnerability discovery
Speaker at Ruxcon, Blackhat, CSW and academic conferences.
This talk contains some Linux work done at university.

C Bugs
Environment Variable Fuzzing Bugs
Inter-Distribution Bugs
Embedded Packages Bugs

void *memset(void *DST, int C, size_t length)
Assign buffer contents to a specific value.
Zeroing a buffer is common.
C and length are sometimes confused.
memset(x,y,0) is almost always a bug.
Not very exploitable (except sensitive data).

Scanned Debian, Fedora, and Owl.
27+ bug reports for Debian.
2 bugs in Owl.
As a result, Debian now incorporating a memset check in their automated testing system.

/* Initialize to 0 so that test_parse_c gives reliable results */ memset (&Uni2, sizeof (Uni2), 0 ); memset (&Uni3, sizeof (Uni2), 0 ); /* only the paranoids survive */ memset( list, sizeof( HListNode ), 0 ); gnat-gps package in Debian bibindex package in Debian

argv[0] is the program name passed by exec* to execute a command in Unix.
You can pass a NULL argv[0].
Crashes programs that (mis)use argv[0].
Unlikely to be exploitable.
A non null argv[0] should be enforced in the kernel.

In Debian using 2737 programs.
741 crashes.
27% crash.

Format String Bugs
printf(getenv|printf(argv
1 format string bug in Debian (debug).
gets
Use of this function is a bug.
1 in Debian debug binutils h8300-hms target.

argv buffer overflows
strcpy(.*argv|sprintf(.*argv|strcat(.*argv
Restricted to SUID/SGID programs.
Vulnerability in Debian xdigger SGID games.
getenv buffer overflows
So many overflows in non privileged programs.
A future project is to submit bug reports for these.
My PhD work use static analysis on binaries to detect simple bugs.

Need to know which programs to audit?
find / -type f ( -perm +2000 –o –perm +4000 )
Better -> look at a package repository.
Fedora is aiming to eliminate SUID.

Debian
298 SUID/SGID programs.
Fedora
368 SUID/SGID programs
Debian now using my list on the security tracker.
Fedora using my list on the wiki.

Long env variables can trigger buffer overflows.
Attacker targets SUID/SGID programs.
Local attack – set hostile env variable, then run privileged program.
Public fuzzing tools for 10+ years, eg sharefuzz.

Fuzzed most SUID/SGID programs in Debian.
A number of assertion failures.
3 segmentation faults.
2 segv in SGID games programs.
1 SUID root segv
zhcon package (bug in libggi).

If package FOO in Fedora vuln,
then package FOO in Debian probably vuln.
If no advisory, then it might be untracked.
Performed one time scan correlating Fedora and Debian advisories.
1 missing vulnerability in Debian
gnucash package.

Software often embeds libraries or other code.
Classic example zlib compression library.
If zlib is vuln, update system library..
In embedded case, update needs to be done manually and package rebuilt.

Many libraries have version strings that identify them.
Manual approach is to grep for vulnerable embedded package signatures.
Bugs found scanning for libpng, bzip2, libtiff etc signatures in Debian and Fedora.
My PhD work replaces and automates this process.

16 vulnerabilities in Debian
15 vulnerabilities in Fedora
Eg, Fedora sepostgresql using a vulnerable fork of postgresql.
Fedora to use my results on their wiki.

For simple bug classes, given enough data you will find vulnerabilities.
Linux vendors have patched these or are patching.
http://github.com/silviocesare/Automated-Audits
Thanks for watching!

http://foocodechu.com	56
http://www.foocodechu.com	8
http://twitter.com	2

Simple Bugs and Vulnerabilities in Linux Distributions

by Silvio Cesare on Mar 25, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 66

Statistics

Simple Bugs and Vulnerabilities in Linux Distributions — Presentation Transcript