Your SlideShare is downloading. ×
Simple Bugs and Vulnerabilities in Linux Distributions
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Simple Bugs and Vulnerabilities in Linux Distributions

2,563
views

Published on

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,563
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
43
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Silvio Cesare <silvio.cesare@gmail.com> Deakin University
  • 2.
    • PhD student at Deakin University
      • Malware detection
      • Software theft detection
      • Automated vulnerability discovery
    • Speaker at Ruxcon, Blackhat, CSW and academic conferences.
    • This talk contains some Linux work done at university.
  • 3.
    • C Bugs
    • Environment Variable Fuzzing Bugs
    • Inter-Distribution Bugs
    • Embedded Packages Bugs
  • 4.
    • void *memset(void *DST, int C, size_t length)
    • Assign buffer contents to a specific value.
    • Zeroing a buffer is common.
    • C and length are sometimes confused.
    • memset(x,y,0) is almost always a bug.
    • Not very exploitable (except sensitive data).
  • 5.
    • Scanned Debian, Fedora, and Owl.
    • 27+ bug reports for Debian.
    • 2 bugs in Owl.
    • As a result, Debian now incorporating a memset check in their automated testing system.
  • 6. /* Initialize to 0 so that test_parse_c gives reliable results */ memset (&Uni2, sizeof (Uni2), 0 ); memset (&Uni3, sizeof (Uni2), 0 ); /* only the paranoids survive */ memset( list, sizeof( HListNode ), 0 ); gnat-gps package in Debian bibindex package in Debian
  • 7.
    • argv[0] is the program name passed by exec* to execute a command in Unix.
    • You can pass a NULL argv[0].
    • Crashes programs that (mis)use argv[0].
    • Unlikely to be exploitable.
    • A non null argv[0] should be enforced in the kernel.
  • 8.
    • In Debian using 2737 programs.
    • 741 crashes.
    • 27% crash.
  • 9.
    • Format String Bugs
      • printf(getenv|printf(argv
      • 1 format string bug in Debian (debug).
    • gets
      • Use of this function is a bug.
      • 1 in Debian debug binutils h8300-hms target.
  • 10.
    • argv buffer overflows
      • strcpy(.*argv|sprintf(.*argv|strcat(.*argv
      • Restricted to SUID/SGID programs.
      • Vulnerability in Debian xdigger SGID games.
    • getenv buffer overflows
      • So many overflows in non privileged programs.
      • A future project is to submit bug reports for these.
    • My PhD work use static analysis on binaries to detect simple bugs.
  • 11.
    • Need to know which programs to audit?
    • find / -type f ( -perm +2000 –o –perm +4000 )
    • Better -> look at a package repository.
    • Fedora is aiming to eliminate SUID.
  • 12.
    • Debian
      • 298 SUID/SGID programs.
    • Fedora
      • 368 SUID/SGID programs
    • Debian now using my list on the security tracker.
    • Fedora using my list on the wiki.
  • 13.
    • Long env variables can trigger buffer overflows.
    • Attacker targets SUID/SGID programs.
    • Local attack – set hostile env variable, then run privileged program.
    • Public fuzzing tools for 10+ years, eg sharefuzz.
  • 14.
    • Fuzzed most SUID/SGID programs in Debian.
    • A number of assertion failures.
    • 3 segmentation faults.
    • 2 segv in SGID games programs.
    • 1 SUID root segv
      • zhcon package (bug in libggi).
  • 15.
    • If package FOO in Fedora vuln,
    • then package FOO in Debian probably vuln.
    • If no advisory, then it might be untracked.
    • Performed one time scan correlating Fedora and Debian advisories.
    • 1 missing vulnerability in Debian
      • gnucash package.
  • 16.
    • Software often embeds libraries or other code.
    • Classic example zlib compression library.
    • If zlib is vuln, update system library..
    • In embedded case, update needs to be done manually and package rebuilt.
  • 17.
    • Many libraries have version strings that identify them.
    • Manual approach is to grep for vulnerable embedded package signatures.
    • Bugs found scanning for libpng, bzip2, libtiff etc signatures in Debian and Fedora.
    • My PhD work replaces and automates this process.
  • 18.
    • 16 vulnerabilities in Debian
    • 15 vulnerabilities in Fedora
    • Eg, Fedora sepostgresql using a vulnerable fork of postgresql.
    • Fedora to use my results on their wiki.
  • 19.
    • For simple bug classes, given enough data you will find vulnerabilities.
    • Linux vendors have patched these or are patching.
    • http://github.com/silviocesare/Automated-Audits
    • Thanks for watching!

×