headers
Victor Stinner | 4 Jul 2007 13:57

Environment variable fuzzing

(This email first destination was skx#debian.org but he doesn't answer, so I 
retry on this mailing list)

Hi,

I see that you found a bug in unicon-imc2 program. Great job ;-)

I wrote a fuzzer for files and environment variable. I already found some 
serious bugs in ClamAV, Freetype and libexif.

So you should try it ;-)
  http://fusil.hachoir.org/trac

I found a bug in xterm (and program file is in setguid mode): there is a bug 
in PATH content parsing (when it only contains one path, no ":"). Check 
xterm/misc.c, near line 2811, function xtermFindShell(). It doesn't allocate 
enough bytes to store nul byte. xterm author didn't answer to my email.

I also found many bugs in gettext but gettext's author don't care because it « 
would not serve the purpose of a maximally efficient lookup of 
translations ». Ok, but it's possible to use 
LANGUAGE='../../../../../../../../tmp' with non-suid programs... libc use 
strong validation of LANGUAGE variable, but only for suid programs (stupid 
thing).

Another funny bug « COLUMNS=10000000 dpkg-query -l » segfault (with 
UTF-8 locale) because of a bug in libc :-) (bug fixed in libc upstream)

Victor Stinner aka haypo
http://hachoir.org/
(Continue reading)

Permalink | Reply |
headers
Steve Kemp | 4 Jul 2007 14:52
Picon
Favicon
Gravatar

Re: Environment variable fuzzing

On Wed Jul 04, 2007 at 13:57:53 +0200, Victor Stinner wrote:
> (This email first destination was skx#debian.org but he doesn't answer, so I 
> retry on this mailing list)

  I get behind on mail very very easily.  I get too much.

> I see that you found a bug in unicon-imc2 program. Great job ;-)

  Thanks.

> I wrote a fuzzer for files and environment variable. I already found some 
> serious bugs in ClamAV, Freetype and libexif.

  Great.

> So you should try it ;-)
>   http://fusil.hachoir.org/trac

  Definitely something that looks nice, and the bugs you've found
 should be reported to the debian bts.

> Another funny bug ? COLUMNS=10000000 dpkg-query -l ? segfault (with 
> UTF-8 locale) because of a bug in libc :-) (bug fixed in libc upstream)

  I can't reproduce that one.

Steve
--

--
(Continue reading)

Permalink | Reply |
headers
Victor Stinner | 4 Jul 2007 16:21

Re: Environment variable fuzzing

Hi,

On Wednesday 04 July 2007 14:52:17 Steve Kemp wrote:
> On Wed Jul 04, 2007 at 13:57:53 +0200, Victor Stinner wrote:
> > (This email first destination was skx#debian.org but he doesn't answer,
> > so I retry on this mailing list)
>
> I get behind on mail very very easily.  I get too much.

I guessed that yeah.

> > So you should try it ;-)
> >   http://fusil.hachoir.org/trac
>
>   Definitely something that looks nice, and the bugs you've found
>  should be reported to the debian bts.

When I found a bug with my fuzzer, I identify the bug with gdb or other tool. 
Sometimes I write a patch. Then post a bug report. But it's not enough! Some 
developers « don't care » about security (eg. ImageMagick and gettext). I 
don't know what to do if they don't care. Fork the software? Do full 
disclosure?

Some bugs are minor ("just a crash") but other are more important (denial of 
service). Since ImageMagick is used on a lot of websites, denial of server 
will impact web servers. And I can say that last version of ImageMagick has 
such bugs!

> > Another funny bug ? COLUMNS=10000000 dpkg-query -l ? segfault (with
> > UTF-8 locale) because of a bug in libc :-) (bug fixed in libc upstream)
(Continue reading)

Permalink | Reply |
headers
Nico Golde | 4 Jul 2007 16:31
Picon
Favicon

Re: Environment variable fuzzing

Hi,
* Victor Stinner <victor.stinner <at> haypocalc.com> [2007-07-04 16:26]:
> On Wednesday 04 July 2007 14:52:17 Steve Kemp wrote:
> > On Wed Jul 04, 2007 at 13:57:53 +0200, Victor Stinner wrote:
[...] 
> > > So you should try it ;-)
> > >   http://fusil.hachoir.org/trac
> >
> >   Definitely something that looks nice, and the bugs you've found
> >  should be reported to the debian bts.
> 
> When I found a bug with my fuzzer, I identify the bug with gdb or other tool. 
> Sometimes I write a patch. Then post a bug report. But it's not enough! Some 
> developers « don't care » about security (eg. ImageMagick and gettext). I 
> don't know what to do if they don't care. Fork the software? Do full 
> disclosure?

That's your decision but if upstream cares about security or 
not doesn't really matter. Ok it's nice if upstream includes 
a fix but if you report the bug to the Debian BTS there is a 
chance to just fix that with the debian diff.

> Some bugs are minor ("just a crash") but other are more important (denial of 
> service).

"Just a crash" is good when looking at the fact that most 
memory corruptions are exploitable.

[...] 
Cheers
(Continue reading)

Permalink | Reply |

Gmane