Entries tagged sourcescan

The scanning of the Debian source archive for security bugs has begun.

I've wrote about this previously and there was some interest in how it worked, so I've put up a simple webpage describing the process.

There are a lot of results to go through, but so far I've managed to find one local root exploit and many many many trivial problems.

Sample bugs:

• came: buffer overflow in handling $HOME
• aatv: Buffer overflow in handling environmental variables.

Unfortunately my usertags seem to be broken. This was working a day or two ago. Not sure if I fucked up or if the BTS is broken ..?

Tags: shellcode, sourcescan | No comments

Three, count them, three local root exploits discovered so far via the source scan of the Debian archive. More to follow.

• DSA-1326-1: fireflier-server
• DSA-1327-1: gsambad
• DSA-1328-1: unicon-imc2
  • This is an interesting one because the library itself isn't setuid, but it is linked to by the setuid application zhcon.
  • Which makes this exploit an instant root attack.

Right now my biggest irritation is the amount of time it takes to report bugs in packages which don't have security issues - just bad coding. It takes me a fair while to do it, since I either have to install the package and use "reportbug", or lookup version numbers and submit manually. I should think of a better way of doing it.

Tags: advisories, doing-stuff, shellcode, sourcescan | No comments

Films

One of the very few good things about my partner being away to the US for the next six weeks is that I can catch up on watching films which she doesn't like!

Every weekend we go out and spend £10-15 pounds on 2-3 second-hand DVDs from local stores. That gives us something new to watch every week, and is a fun way to spend a day shopping together, in amongst doing other things.This has meant I've watched an awful lot of (awful!) films I'd never have previously considered, but I've also found a few gems I'm glad I got to see.

The down-side is that we don't often watch films we've already got, since we don't have the time to do so.

Anyway tonight is Aliens & Battle Royale..

Source Scanning

A little more progress on that this week, another local root attack, a symlink attack against the Amaya browser and a potential root attack against evms.

The EVMS bug is frustrating because the code is contained in a plugin which appears to never get built. I've tried searching the web for more details, but unfortunately I couldn't find anything.

So in the interest of demonstration here's how you should not write code which runs as root:

        if(system("lsrsrc -axd IBM.PeerNode > /tmp/rsct_node_info") == -1){
                LOG_ERROR("ERROR:get_nodes_info() fails ");
        }
        

Why is this bad? Because it users a static filename /tmp/rsct_node_info - and that could be a symlink. Consider what happens if a local user were to run:

skx@vain:~$ ln -s /etc/passwd /tmp/rsct_node_info

The EVMS plugin would happily trash the /etc/passwd file, rendering the system broken...

If this works on other distros that I couldn't spot don't tell anybody; it'll be our little secret ;)

X.org

Today I rebooted, to make sure that purging EVMS hadn't screwed with my initrd - and found errors relating to failure to load "keyboard" driver(s).

Turns out you need to change:

Section "InputDevice"
        Identifier      "Generic Keyboard"
        Driver          "keyboard"
        Option          "CoreKeyboard"

TO:

Section "InputDevice"
        Identifier      "Generic Keyboard"
        Driver          "kbd"
        Option          "CoreKeyboard"

That took a fair bit of head-scratching.

Tags: films, sourcescan, x.org | No comments