|
|
| |
|
| |
Security
By Jake Edge
March 11, 2009
When applications receive inputs they do not expect, they generally fail,
hopefully with an error message of some kind—indicating that the
programmer anticipated that type of bad input. But sometimes, programs
crash when they receive bad input, which can lead a researcher—or
attacker—to an
exploitable vulnerability. Testing applications by feeding them bad data
is known as "fuzzing", and there are numerous toolkits and frameworks
available to help with such a task. One of those is Fusil, a Python library which can
be used to write fuzzing programs.
The basic idea behind Fusil is that it will start the targeted program in a
limited environment, create bad input to feed to it, and watch for various
events that would indicate a program crash. Fusil monitors the process
exit code, stdout and stderr for patterns that might indicate a crash, as
well as keeping track cpu usage and run time to look for infinite loops and
the like. It runs the process as a separate user ("fusil") to try to avoid
any adverse effects to the user's environment from any crashes that result.
Fusil's most recent version is 1.2, released in early February, which comes
with more than a dozen fuzzing programs for standard applications and
libraries. There are fuzzers for firefox, clamav, python, and mplayer for
example, along with ones for libraries like gettext and for
printf() in libc. There is also a rather impressive list of crashes
found by Fusil, including several that became CVE entries.
Getting started using Fusil is fairly straightforward when following the usage
guide, though the author ran into a number of problems when trying to
run as a non-root user. Running the fusil-python fuzzer did
produce a crash ("unexpected exception during garbage collection"), which
needs to be looked into further.
When it crashes an application, Fusil creates a script that will reproduce
the error along with various files to help diagnose the problem. The
output and a core file from the application are stored with the
replay.py script. The data file and a log of the session are
stored there as well. One can re-run the failing process inside gdb or
valgrind by passing the appropriate option (i.e. --gdb or
--valgrind) to replay.py.
There is also a document on how
to write fuzzers using Fusil. It starts with the traditional "hello
world" program using echo—not much fuzzing going on
there—and moves into a more real-world echo fuzzer. Fusil
provides various ways to randomize the data that gets handed to the
application. Then there are
mechanisms available to inject bad data via the command line, environment
variables, data files, or the network.
Overall, Fusil looks like an interesting tool. It has already been used to
find crashes in various applications and libraries, and it has the
capability to be extended to many more. If you are in need of a framework
to fuzz test your application, Fusil is worth a look. If more projects
made use of tools like Fusil, we would probably see fewer exploitable
vulnerabilities caused by unexpected input.
Comments (1 posted)
Security reports
Mark Cox, Red Hat's director of security response, has released another of his annual reports on the security risks associated with Red Hat Enterprise Linux. It would be nice to see more distributions doing this kind of reporting on the number of vulnerabilities handled, what their severity was, and how quickly they were addressed. " The aim of this report was to get a measure of the security risk to users of Red Hat Enterprise Linux 4 during the first four years since release. Weve shown that although on the surface it looks like Red Hat released a large number of security advisories, many of them do not apply to usual or default installations, and only a very small subset are a high risk."
Comments (1 posted)
New vulnerabilities
dash: privilege escalation
| Package(s): | dash |
CVE #(s): | CVE-2009-0854
|
| Created: | March 10, 2009 |
Updated: | March 11, 2009 |
| Description: |
From the Ubuntu advisory: Wolfgang M. Reimer discovered that dash, when invoked as a login shell, would source .profile files from the current directory. Local users may be able to bypass security restrictions and gain root privileges by placing specially crafted .profile files where they might get sourced by other dash users.
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2009-0771
CVE-2009-0772
CVE-2009-0773
CVE-2009-0774
CVE-2009-0775
CVE-2009-0776
CVE-2009-0777
|
| Created: | March 5, 2009 |
Updated: | July 13, 2009 |
| Description: |
Firefox has multiple vulnerabilities. From the Red Hat alert:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-0040, CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774,
CVE-2009-0775)
Several flaws were found in the way malformed content was processed. A
website containing specially-crafted content could, potentially, trick a
Firefox user into surrendering sensitive information. (CVE-2009-0776,
CVE-2009-0777) |
| Alerts: |
|
Comments (none posted)
irrlicht: arbitrary code execution
| Package(s): | irrlicht |
CVE #(s): | CVE-2008-5876
|
| Created: | March 9, 2009 |
Updated: | March 11, 2009 |
| Description: |
From the Gentoo advisory:
An unspecified component of the B3D loader is vulnerable to a buffer
overflow due to missing boundary checks.
A remote attacker could entice a user to open a specially crafted .irr
file, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service
(crash).
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-0675
|
| Created: | March 11, 2009 |
Updated: | June 9, 2009 |
| Description: |
The skfp driver will allow an unprivileged user to reset the device statistics, thus losing the relevant information. |
| Alerts: |
|
Comments (none posted)
kernel: information disclosure
| Package(s): | kernel |
CVE #(s): | CVE-2009-0676
|
| Created: | March 11, 2009 |
Updated: | August 20, 2009 |
| Description: |
The kernel socket code fails to properly initialize an internal data structure, allowing local users to obtain information via the getsockopt() system call. |
| Alerts: |
|
Comments (none posted)
libsndfile: arbitrary code execution, denial of service
| Package(s): | libsndfile |
CVE #(s): | CVE-2009-0186
|
| Created: | March 6, 2009 |
Updated: | December 3, 2009 |
| Description: |
From the Mandriva advisory: Crafted data - channels per frame value - in CAF files enables remote attackers to execute arbitrary code or denial of service via a possible integer overflow, leading to a possible heap overflow. |
| Alerts: |
|
Comments (none posted)
mahara: insufficient input sanitising
| Package(s): | mahara |
CVE #(s): | CVE-2009-0660
|
| Created: | March 11, 2009 |
Updated: | March 11, 2009 |
| Description: |
The mahara portfolio manager is susceptible to cross-site scripting attacks. |
| Alerts: |
|
Comments (none posted)
mpfr: denial of service
| Package(s): | mpfr |
CVE #(s): | CVE-2009-0757
|
| Created: | March 9, 2009 |
Updated: | May 8, 2009 |
| Description: |
From the Gentoo advisory:
Multiple buffer overflows have been reported in the mpfr_snprintf() and
mpfr_vsnprintf() functions.
A remote user could exploit the vulnerability to cause a Denial of
Service in an application using MPFR via unknown vectors.
|
| Alerts: |
|
Comments (none posted)
openswan: insecure tmp file usage
| Package(s): | openswan |
CVE #(s): | CVE-2008-4190
|
| Created: | March 9, 2009 |
Updated: | April 9, 2009 |
| Description: |
From the Gentoo advisory:
Dmitry E. Oboukhov reported that the IPSEC livetest tool does not
handle the ipseclive.conn and ipsec.olts.remote.log temporary files
securely.
A local attacker could perform symlink attacks to execute arbitrary
code and overwrite arbitrary files with the privileges of the user
running the application.
|
| Alerts: |
|
Comments (none posted)
openttd: arbitrary code execution
| Package(s): | openttd |
CVE #(s): | CVE-2008-3547
CVE-2008-3576
CVE-2008-3577
|
| Created: | March 9, 2009 |
Updated: | March 11, 2009 |
| Description: |
From the Gentoo advisory:
Multiple buffer overflows have been reported in OpenTTD, when storing
long for client names (CVE-2008-3547), in the TruncateString function
in src/gfx.cpp (CVE-2008-3576) and in src/openttd.cpp when processing a
large filename supplied to the "-g" parameter in the ttd_main function
(CVE-2008-3577).
An authenticated attacker could exploit these vulnerabilities to
execute arbitrary code with the privileges of the OpenTTD server.
|
| Alerts: |
|
Comments (none posted)
pdfjam: multiple vulnerabilities
| Package(s): | pdfjam |
CVE #(s): | CVE-2008-5843
CVE-2008-5743
|
| Created: | March 9, 2009 |
Updated: | March 13, 2009 |
| Description: |
From the Gentoo advisory:
* Martin Vaeth reported multiple untrusted search path
vulnerabilities (CVE-2008-5843).
* Marcus Meissner of the SUSE Security Team reported that temporary
files are created with a predictable name (CVE-2008-5743).
A local attacker could place a specially crafted Python module in the
current working directory or the /var/tmp directory, and entice a user
to run the PDFjam scripts, leading to the execution of arbitrary code
with the privileges of the user running the application. A local
attacker could also leverage symlink attacks to overwrite arbitrary
files.
|
| Alerts: |
|
Comments (none posted)
php: web site intrusion
| Package(s): | php |
CVE #(s): | CVE-2009-0754
|
| Created: | March 6, 2009 |
Updated: | January 6, 2010 |
| Description: |
From the Mandriva advisory: PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. |
| Alerts: |
|
Comments (none posted)
poppler: denial of service
| Package(s): | poppler |
CVE #(s): | CVE-2009-0755
CVE-2009-0756
|
| Created: | March 6, 2009 |
Updated: | December 1, 2009 |
| Description: |
From the Mandriva advisory: A crafted PDF file that triggers a parsing error allows remote attackers to cause denial of service. This bug is consequence of a wrong processing on FormWidgetChoice::loadDefaults method
(CVE-2009-0755). A crafted PDF file that triggers a parsing error allows remote attackers to cause denial of service. This bug is consequence of an invalid memory dereference on JBIG2SymbolDict::~JBIG2SymbolDict destructor when JBIG2Stream::readSymbolDictSeg method is used (CVE-2009-0756).
|
| Alerts: |
|
Comments (none posted)
roundup: privilege escalation
| Package(s): | roundup |
CVE #(s): | |
| Created: | March 11, 2009 |
Updated: | April 10, 2009 |
| Description: |
Any authenticated roundup users who is able to create and edit queries is able to edit any queries on the system, regardless of ownership. See this bug report for more information. |
| Alerts: |
|
Comments (none posted)
websvn: multiple vulnerabilities
| Package(s): | websvn |
CVE #(s): | CVE-2008-5918
CVE-2008-5919
|
| Created: | March 9, 2009 |
Updated: | March 11, 2009 |
| Description: |
From the Gentoo advisory:
James Bercegay of GulfTech Security reported a Cross-site scripting
(XSS) vulnerability in the getParameterisedSelfUrl() function in
index.php (CVE-2008-5918) and a directory traversal vulnerability in
rss.php when magic_quotes_gpc is disabled (CVE-2008-5919).
A remote attacker can exploit these vulnerabilities to overwrite
arbitrary files, to read changelogs or diffs for restricted projects
and to hijack a user's session.
|
| Alerts: |
|
Comments (none posted)
xerces-c: denial of service
| Package(s): | xerces-c |
CVE #(s): | CVE-2008-4482
|
| Created: | March 9, 2009 |
Updated: | March 11, 2009 |
| Description: |
From the Gentoo advisory:
Frank Rast reported that the XML parser in Xerces-C++ does not
correctly handle an XML schema definition with a large maxOccurs value,
which triggers excessive memory consumption during the validation of an
XML file.
A remote attacker could entice a user or automated system to validate
an XML file using a specially crafted XML schema file, leading to a
Denial of Service (stack consumption and crash).
|
| Alerts: |
|
Comments (none posted)
znc: privilege escalation
| Package(s): | znc |
CVE #(s): | CVE-2009-0759
|
| Created: | March 9, 2009 |
Updated: | March 11, 2009 |
| Description: |
From the Gentoo advisory:
cnu discovered multiple CRLF injection vulnerabilities in ZNC's
webadmin module.
A remote authenticated attacker could modify the znc.conf configuration
file and gain privileges via newline characters in e.g. the QuitMessage
field, and possibly execute arbitrary code.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|