Simple Bugs and Vulnerabilities in Linux Distributions


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Simple Bugs and Vulnerabilities in Linux Distributions

  1. 1. Silvio Cesare <> Deakin University
  2. 2. <ul><li>PhD student at Deakin University </li></ul><ul><ul><li>Malware detection </li></ul></ul><ul><ul><li>Software theft detection </li></ul></ul><ul><ul><li>Automated vulnerability discovery </li></ul></ul><ul><li>Speaker at Ruxcon, Blackhat, CSW and academic conferences. </li></ul><ul><li>This talk contains some Linux work done at university. </li></ul>
  3. 3. <ul><li>C Bugs </li></ul><ul><li>Environment Variable Fuzzing Bugs </li></ul><ul><li>Inter-Distribution Bugs </li></ul><ul><li>Embedded Packages Bugs </li></ul>
  4. 4. <ul><li>void *memset(void *DST, int C, size_t length) </li></ul><ul><li>Assign buffer contents to a specific value. </li></ul><ul><li>Zeroing a buffer is common. </li></ul><ul><li>C and length are sometimes confused. </li></ul><ul><li>memset(x,y,0) is almost always a bug. </li></ul><ul><li>Not very exploitable (except sensitive data). </li></ul>
  5. 5. <ul><li>Scanned Debian, Fedora, and Owl. </li></ul><ul><li>27+ bug reports for Debian. </li></ul><ul><li>2 bugs in Owl. </li></ul><ul><li>As a result, Debian now incorporating a memset check in their automated testing system. </li></ul>
  6. 6. /* Initialize to 0 so that test_parse_c gives reliable results */ memset (&Uni2, sizeof (Uni2), 0 ); memset (&Uni3, sizeof (Uni2), 0 ); /* only the paranoids survive */ memset( list, sizeof( HListNode ), 0 ); gnat-gps package in Debian bibindex package in Debian
  7. 7. <ul><li>argv[0] is the program name passed by exec* to execute a command in Unix. </li></ul><ul><li>You can pass a NULL argv[0]. </li></ul><ul><li>Crashes programs that (mis)use argv[0]. </li></ul><ul><li>Unlikely to be exploitable. </li></ul><ul><li>A non null argv[0] should be enforced in the kernel. </li></ul>
  8. 8. <ul><li>In Debian using 2737 programs. </li></ul><ul><li>741 crashes. </li></ul><ul><li>27% crash. </li></ul>
  9. 9. <ul><li>Format String Bugs </li></ul><ul><ul><li>printf(getenv|printf(argv </li></ul></ul><ul><ul><li>1 format string bug in Debian (debug). </li></ul></ul><ul><li>gets </li></ul><ul><ul><li>Use of this function is a bug. </li></ul></ul><ul><ul><li>1 in Debian debug binutils h8300-hms target. </li></ul></ul>
  10. 10. <ul><li>argv buffer overflows </li></ul><ul><ul><li>strcpy(.*argv|sprintf(.*argv|strcat(.*argv </li></ul></ul><ul><ul><li>Restricted to SUID/SGID programs. </li></ul></ul><ul><ul><li>Vulnerability in Debian xdigger SGID games. </li></ul></ul><ul><li>getenv buffer overflows </li></ul><ul><ul><li>So many overflows in non privileged programs. </li></ul></ul><ul><ul><li>A future project is to submit bug reports for these. </li></ul></ul><ul><li>My PhD work use static analysis on binaries to detect simple bugs. </li></ul>
  11. 11. <ul><li>Need to know which programs to audit? </li></ul><ul><li>find / -type f ( -perm +2000 –o –perm +4000 ) </li></ul><ul><li>Better -> look at a package repository. </li></ul><ul><li>Fedora is aiming to eliminate SUID. </li></ul>
  12. 12. <ul><li>Debian </li></ul><ul><ul><li>298 SUID/SGID programs. </li></ul></ul><ul><li>Fedora </li></ul><ul><ul><li>368 SUID/SGID programs </li></ul></ul><ul><li>Debian now using my list on the security tracker. </li></ul><ul><li>Fedora using my list on the wiki. </li></ul>
  13. 13. <ul><li>Long env variables can trigger buffer overflows. </li></ul><ul><li>Attacker targets SUID/SGID programs. </li></ul><ul><li>Local attack – set hostile env variable, then run privileged program. </li></ul><ul><li>Public fuzzing tools for 10+ years, eg sharefuzz. </li></ul>
  14. 14. <ul><li>Fuzzed most SUID/SGID programs in Debian. </li></ul><ul><li>A number of assertion failures. </li></ul><ul><li>3 segmentation faults. </li></ul><ul><li>2 segv in SGID games programs. </li></ul><ul><li>1 SUID root segv </li></ul><ul><ul><li>zhcon package (bug in libggi). </li></ul></ul>
  15. 15. <ul><li>If package FOO in Fedora vuln, </li></ul><ul><li>then package FOO in Debian probably vuln. </li></ul><ul><li>If no advisory, then it might be untracked. </li></ul><ul><li>Performed one time scan correlating Fedora and Debian advisories. </li></ul><ul><li>1 missing vulnerability in Debian </li></ul><ul><ul><li>gnucash package. </li></ul></ul>
  16. 16. <ul><li>Software often embeds libraries or other code. </li></ul><ul><li>Classic example zlib compression library. </li></ul><ul><li>If zlib is vuln, update system library.. </li></ul><ul><li>In embedded case, update needs to be done manually and package rebuilt. </li></ul>
  17. 17. <ul><li>Many libraries have version strings that identify them. </li></ul><ul><li>Manual approach is to grep for vulnerable embedded package signatures. </li></ul><ul><li>Bugs found scanning for libpng, bzip2, libtiff etc signatures in Debian and Fedora. </li></ul><ul><li>My PhD work replaces and automates this process. </li></ul>
  18. 18. <ul><li>16 vulnerabilities in Debian </li></ul><ul><li>15 vulnerabilities in Fedora </li></ul><ul><li>Eg, Fedora sepostgresql using a vulnerable fork of postgresql. </li></ul><ul><li>Fedora to use my results on their wiki. </li></ul>
  19. 19. <ul><li>For simple bug classes, given enough data you will find vulnerabilities. </li></ul><ul><li>Linux vendors have patched these or are patching. </li></ul><ul><li> </li></ul><ul><li>Thanks for watching! </li></ul>