Re: [Debian-audit] Welcome to me :)

From: Steve Kemp <steve_at_shellcode.org>
Date: Wed, 2 Jun 2004 19:25:57 +0100

On Wed, Jun 02, 2004 at 04:45:42PM +0200, Ulf H?rnhammar wrote:

> What's up with your and other people's auditing?

  Like you I'm working on a couple of things, mostly the things
 I've been looking at are "public", so I will name names.

  If you wade your way through this huge thread (which I started
 a *long* time ago) you will see that angbard is vulnerable to
 a getenv() overflow.

  The thread is here:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=goB7.6UT.1%40gated-at.bofh.it&rnum=38&prev=/groups%3Fq%3Ddebian%2Bsecurity%2Baudit%2Bkemp%26start%3D30%26hl%3Den%26lr%3D%26ie%3DUTF-8%26selm%3DgoB7.6UT.1%2540gated-at.bofh.it%26rnum%3D38

  (That will almost certainly wrap).

  Exploitation is trivial:

        env-overflow /usr/games/angband 1084 ANGBAND_PATH

  Where env-overflow comes from:

        http://shellcode.org/Exploit/generic.html

  Also I've been fighting with ktalkd for a week or two, and almost
 have something worthy of report.

  I want to look over angband more before I report it as it seems to
 have some "interesting" code which I need to strace more. One thing
 that I've been looking at more recently is runtime instrumention via
 LD_PRELOAD hacks, just to see what arguments are passed to different
 functions.

  Clearly this suffers from the problem of code coverage, but it's
 another thing to look into.

> I haven't done much for the project lately. There's some stuff that looks
> promising (=vulnerable), but which needs more time. Some false alarms as well
> (code with format string bugs which never gets executed for whatever reason).

  One thing that I have been dabbling with is updating some of the
 source code scanners to make them invoke 'cpp' first, so that we
 only examine code which isn't 'ifdef'd out. This does have it's
 flaws as it means that some platforms which Debian supports might
 not be examined if my host platform (x86) isn't vulnearble.

  Interesting thing to do anyway..

> I suppose I shouldn't give any details like program names here, as we're a
> responsible full disclosure project. (Perhaps the web pages should have some
> info about that, Steve?)

  I will add a section, in general I support responsible disclosure,
 and whilst that's the kind of thing that I'd like to see given the
 nature of the Debian project I'm not averse to it when it comes to
 closed source code.

  It's a tricky thing to explain succintcly, I shall try my best.

Steve 

--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Received on Wed Jun 02 2004 - 19:25:58 BST

Mailing list overview.