Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Simple Bugs and Vulnerabilities in Linux Distributions


Published on

Published in: Technology
  • Be the first to comment

Simple Bugs and Vulnerabilities in Linux Distributions

  1. 1. Silvio Cesare <> Deakin University
  2. 2. <ul><li>PhD student at Deakin University </li></ul><ul><ul><li>Malware detection </li></ul></ul><ul><ul><li>Software theft detection </li></ul></ul><ul><ul><li>Automated vulnerability discovery </li></ul></ul><ul><li>Speaker at Ruxcon, Blackhat, CSW and academic conferences. </li></ul><ul><li>This talk contains some Linux work done at university. </li></ul>
  3. 3. <ul><li>C Bugs </li></ul><ul><li>Environment Variable Fuzzing Bugs </li></ul><ul><li>Inter-Distribution Bugs </li></ul><ul><li>Embedded Packages Bugs </li></ul>
  4. 4. <ul><li>void *memset(void *DST, int C, size_t length) </li></ul><ul><li>Assign buffer contents to a specific value. </li></ul><ul><li>Zeroing a buffer is common. </li></ul><ul><li>C and length are sometimes confused. </li></ul><ul><li>memset(x,y,0) is almost always a bug. </li></ul><ul><li>Not very exploitable (except sensitive data). </li></ul>
  5. 5. <ul><li>Scanned Debian, Fedora, and Owl. </li></ul><ul><li>27+ bug reports for Debian. </li></ul><ul><li>2 bugs in Owl. </li></ul><ul><li>As a result, Debian now incorporating a memset check in their automated testing system. </li></ul>
  6. 6. /* Initialize to 0 so that test_parse_c gives reliable results */ memset (&Uni2, sizeof (Uni2), 0 ); memset (&Uni3, sizeof (Uni2), 0 ); /* only the paranoids survive */ memset( list, sizeof( HListNode ), 0 ); gnat-gps package in Debian bibindex package in Debian
  7. 7. <ul><li>argv[0] is the program name passed by exec* to execute a command in Unix. </li></ul><ul><li>You can pass a NULL argv[0]. </li></ul><ul><li>Crashes programs that (mis)use argv[0]. </li></ul><ul><li>Unlikely to be exploitable. </li></ul><ul><li>A non null argv[0] should be enforced in the kernel. </li></ul>
  8. 8. <ul><li>In Debian using 2737 programs. </li></ul><ul><li>741 crashes. </li></ul><ul><li>27% crash. </li></ul>
  9. 9. <ul><li>Format String Bugs </li></ul><ul><ul><li>printf(getenv|printf(argv </li></ul></ul><ul><ul><li>1 format string bug in Debian (debug). </li></ul></ul><ul><li>gets </li></ul><ul><ul><li>Use of this function is a bug. </li></ul></ul><ul><ul><li>1 in Debian debug binutils h8300-hms target. </li></ul></ul>
  10. 10. <ul><li>argv buffer overflows </li></ul><ul><ul><li>strcpy(.*argv|sprintf(.*argv|strcat(.*argv </li></ul></ul><ul><ul><li>Restricted to SUID/SGID programs. </li></ul></ul><ul><ul><li>Vulnerability in Debian xdigger SGID games. </li></ul></ul><ul><li>getenv buffer overflows </li></ul><ul><ul><li>So many overflows in non privileged programs. </li></ul></ul><ul><ul><li>A future project is to submit bug reports for these. </li></ul></ul><ul><li>My PhD work use static analysis on binaries to detect simple bugs. </li></ul>
  11. 11. <ul><li>Need to know which programs to audit? </li></ul><ul><li>find / -type f ( -perm +2000 –o –perm +4000 ) </li></ul><ul><li>Better -> look at a package repository. </li></ul><ul><li>Fedora is aiming to eliminate SUID. </li></ul>
  12. 12. <ul><li>Debian </li></ul><ul><ul><li>298 SUID/SGID programs. </li></ul></ul><ul><li>Fedora </li></ul><ul><ul><li>368 SUID/SGID programs </li></ul></ul><ul><li>Debian now using my list on the security tracker. </li></ul><ul><li>Fedora using my list on the wiki. </li></ul>
  13. 13. <ul><li>Long env variables can trigger buffer overflows. </li></ul><ul><li>Attacker targets SUID/SGID programs. </li></ul><ul><li>Local attack – set hostile env variable, then run privileged program. </li></ul><ul><li>Public fuzzing tools for 10+ years, eg sharefuzz. </li></ul>
  14. 14. <ul><li>Fuzzed most SUID/SGID programs in Debian. </li></ul><ul><li>A number of assertion failures. </li></ul><ul><li>3 segmentation faults. </li></ul><ul><li>2 segv in SGID games programs. </li></ul><ul><li>1 SUID root segv </li></ul><ul><ul><li>zhcon package (bug in libggi). </li></ul></ul>
  15. 15. <ul><li>If package FOO in Fedora vuln, </li></ul><ul><li>then package FOO in Debian probably vuln. </li></ul><ul><li>If no advisory, then it might be untracked. </li></ul><ul><li>Performed one time scan correlating Fedora and Debian advisories. </li></ul><ul><li>1 missing vulnerability in Debian </li></ul><ul><ul><li>gnucash package. </li></ul></ul>
  16. 16. <ul><li>Software often embeds libraries or other code. </li></ul><ul><li>Classic example zlib compression library. </li></ul><ul><li>If zlib is vuln, update system library.. </li></ul><ul><li>In embedded case, update needs to be done manually and package rebuilt. </li></ul>
  17. 17. <ul><li>Many libraries have version strings that identify them. </li></ul><ul><li>Manual approach is to grep for vulnerable embedded package signatures. </li></ul><ul><li>Bugs found scanning for libpng, bzip2, libtiff etc signatures in Debian and Fedora. </li></ul><ul><li>My PhD work replaces and automates this process. </li></ul>
  18. 18. <ul><li>16 vulnerabilities in Debian </li></ul><ul><li>15 vulnerabilities in Fedora </li></ul><ul><li>Eg, Fedora sepostgresql using a vulnerable fork of postgresql. </li></ul><ul><li>Fedora to use my results on their wiki. </li></ul>
  19. 19. <ul><li>For simple bug classes, given enough data you will find vulnerabilities. </li></ul><ul><li>Linux vendors have patched these or are patching. </li></ul><ul><li> </li></ul><ul><li>Thanks for watching! </li></ul>