Re: Analysis vulnerabilities associated to published security advisories, anyone?

[Javier Fernández-Sanguino Peña <jfs@computer.org>]

On Wed, Mar 09, 2005 at 07:13:48PM +0000, Steve Kemp wrote:
> On Wed, Mar 09, 2005 at 08:05:40PM +0100, David Schmitt wrote:
> > On Wednesday 09 March 2005 19:13, Steve Kemp wrote:
> > >   A simple script I wrote did that for me already - although there are
> > >  some fixups required as we seem to have a few different spellings
> > >  for different things.  eg. sanitizing vs sanitising.
> > >
> > >   You can see the simple output here along with input and output.
> > >
> > >  http://people.debian.org/~skx/2005/
> > 
> > Nice script. I fixed it up to sanitise 'sanitizations' and sort output by 
> > count. diff attached.
> 
>   Thanks, I've applied it and updated the page.

Based on your code I've modified it (reused some of the code I wrote for
other tasks) so that it can be run in the source code that generates
www.debian.org/security. Attached is both the modified script and the
result. As you will see, since the 'description' tag has not been used
uniformly (sp?) the results are quite strange. I believe it would be best
if we modified all the .data files and added a 'vulntype' tag to all of
them in order to do proper analysis.

Regards

Javier

#!/usr/bin/perl -w

use Getopt::Std;
use Time::gmtime;
use IO::File;
use Date::Parse;
use strict;

my %HASH;
my %DSAcount;
my %dsaref;
my $opt_h;
my $opt_v;

# Stdin options
# -v verbose
getopts('hv');
if ( $opt_h ) {
# Help!
	print "usage: $0 [-vh]\n";
	print "\t-v\tverbose mode\n";
	print "\t-h\tthis help\n";
	exit 0;
}


# Extract data
#parsedirs (".", "data", 2);
parsedirs (".", "wml", 2);

# Print page
countvuln();
printtable();

exit 0;

sub countvuln {
# Count the vulnerabilities in %dsaref based on description
	foreach my $dsa (keys %dsaref) {
		if  ( defined $dsaref{$dsa}{'description'} ) {
			my $type = $dsaref{$dsa}{'description'};
			$type =~ s/ *$//;
			$type =~ s/(overflow|file)s$/$1/;
			$type =~ s/saniti[zs]ing|validation/validation/;
			$type =~ s/unsanitised input/missing input validation/;
			$HASH{ $type } += 1;  # Increase type of flaw.
			$DSAcount{ $type } .= " " . $dsa ;
		}
	}
}

##
##  Simple HTML output
##
sub printtable {
	print "<table>";
	foreach my $key ( sort { $HASH{$b} <=> $HASH{$a} } keys %HASH )
	{
		print "<tr bgcolor=\"#cccccc\"><td>" . $key . "</td><td>" . $HASH{ $key }  . "</tr>\n";

		print "<tr><td></td><td>";
		foreach my $vuln ( split( / /, $DSAcount{ $key } ) )
		{
			next if not length( $vuln );

			$vuln = lc($vuln);
			print "<a href=\"http://www.debian.org/security/2005/$vuln\";>$vuln</a> ";
		}
		print "</td></tr>\n";
	}
	print "</table>";
}

sub parsewmlfile {
	my ($file,$filename) = @_ ;
	my $dsa;
	my $line;
# The filename gives us the DSA we are parsing
	if ( $filename =~ /dsa\-(\d+)/ || $filename =~ /(\d+\w+)/ ) {
		$dsa=$1;
	} else {
		print STDERR "File $file does not look like a proper DSA, not checking\n" if $opt_v;
		return 1;
	}
	print STDERR "Parsing DSA $dsa from file $file\n" if $opt_v;
	open (WMLFILE , $file) || die ("Cannot read $file: $!");
	while ($line=<WMLFILE>) {
		chomp $line;
		if ( $line =~ /description\>(.*?)\<\/define-tag/ )  {
			$dsaref{$dsa}{'description'}=$1;
		}
		last if defined $dsaref{$dsa}{'description'};
	}
	close WMLFILE;
	return 0;
}

sub parsedatafile {
	my ($file,$filename) = @_ ;
	my $dsa;
	my $line;
# The filename gives us the DSA we are parsing
	if ( $filename =~ /dsa\-(\d+)/ || $filename =~ /(\d+\w+)/ ) {
		$dsa=$1;
	} else {
		print STDERR "File $file does not look like a proper DSA, not checking\n" if $opt_v;
		return 1;
	}
	print STDERR "Parsing DSA $dsa from file $file\n" if $opt_v;

	open (DATAFILE , $file) || die ("Cannot read $file: $!");
	while ($line=<DATAFILE>) {
		chomp $line;
		if ( $line =~ /report_date\>([\d\-\/]+)\<\/define-tag/ )  {
			my $dsadate=$1;
			# Just in case...
			$dsadate =~ s/\-(\d)\-/-0$1-/;
			$dsadate =~ s/\-(\d)$/-0$1/;
			$dsaref{$dsa}{'date'}=$dsadate ;
		}
		if ( $line =~ /secrefs\>(.*?)\<\/define-tag/ ) {
			$dsaref{$dsa}{'secrefs'}=$1 ;
			print STDERR "Extracted security references: $dsaref{$dsa}{'secrefs'}\n" if $opt_v;
		}
		$dsaref{$dsa}{'package'}=$1 if ( $line =~ /packages\>(.*?)\<\/define-tag/ ) ;
		$dsaref{$dsa}{'vulnerable'}=$1 if ( $line =~ /isvulnerable\>(.*?)\<\/define-tag/ ) ;
		$dsaref{$dsa}{'fixed'}=$1 if ( $line =~ /fixed\>(.*?)\<\/define-tag/ ) ;
	}
	close DATAFILE;
	return 0;
}

sub parsedirs {
	my ($directory, $postfix, $depth) = @_ ;
	my $dir = new IO::File;
	if ( $depth == 0 ) {
		print STDERR "Maximum depth reached ($depth) at $directory\n" if $opt_v;
		return 0;
	}
	opendir ($dir , $directory) || die ("Cannot read $directory: $!");
	while ( my $file = readdir ($dir) ) {
		print STDERR "Checking $file (for $postfix at $depth)\n" if $opt_v;
		if ( -d "${directory}/${file}"  and ! -l "${directory}/${file}" && $file !~ /^\./ ) {
			print STDERR "Entering directory ${directory}/${file}\n" if $opt_v;
			parsedirs ( "${directory}/${file}", $postfix, $depth - 1 );
		} 
		if ( -r "${directory}/${file}" && $file =~ /$postfix/ && $file !~ /^[\.\#]/ ) {
			parsedatafile($directory."/".$file,$file) if $file =~ /data$/;
			parsewmlfile($directory."/".$file,$file) if $file =~ /wml$/;
		}
	} # of the while
	closedir $dir;
	return 0;
}

buffer overflow	168
	076 194 458 517 451 578 1ldso 350 527 337 096 124 594 653 367 391 523 193 244 637 410 595 113 579 295 683 508 507 260 309 506 116 300 120 381 254 373 205 644 399 040 19980520 301 213 017 493 171 445 329 525 582 400 287 672 349 275 197 432 677 110 112 646 369 176 629 372 428 359 182 033 632 663 274 645 322 635 128 501 215 064 387 267 354 461 565 520 424 368 611 175 511 062 291 374 649 648 327 320 280 19981112 184 140 412 385 502 314 326 619 621 598 162 334 103 174 214 1libdb 657 074 593 641 640 623 044 20000702 217 328 281 183 384 398 407 376 587 609 190 298 397 321 624 165 186 268 345 516 494 216 069 643 455 179 676 060 550 625 547 406 530 166 141 252 031 19981122 19980110 185 597 248 390 356
several vulnerabilities	78
	443 358 572 311 495 662 236 234 388 486 288 324 536 379 480 535 312 237 638 607 235 436 652 265 468 475 515 691 519 187 526 232 360 549 543 332 532 434 442 642 241 489 465 361 479 195 524 240 440 423 266 467 481 188 576 239 562 497 472 439 546 667 243 531 669 639 238 448 336 457 482 365 470 654 450 491 196 242
insecure temporary file	41
	559 118 331 325 340 285 460 341 661 286 308 366 633 137 323 588 426 256 500 610 615 658 353 575 603 622 202 159 679 647 053 305 362 343 339 172 636 577 046 20001225 105
missing input validation	27
	548 627 686 690 496 678 568 650 542 566 604 469 682 626 689 471 680 552 612 563 688 402 518 504 247 596 631
integer overflow	22
	226 573 581 272 333 142 589 614 591 433 602 673 222 143 628 599 601 282 149 570 146 408
denial of service	17
	206 211 415 452 545 414 393 492 409 198 201 317 478 157 318 473 528
remote exploit	16
	20001122a 200 138 262 20000901 027 257 075 043 066 20001013a 070 106 123 134 111
format string	14
	684 485 685 447 370 671 513 510 687 616 529 487 670 592
privilege escalation	12
	463 675 509 161 303 154 681 20001219 668 302 304 173
local exploit	10
	20000902a 20001217a 041 20000910a 20001120 20000810 20000727 20001014 20001111a 1lynx
cross site scripting	9
	220 218 221 191 167 163 199 181 169
symlink attack	9
	059 048 090 20001217 20001122 20001123 20001129 20001130 20001201
remote root exploit	9
	1samba 045 1mgetty 034 20000911 087 20000719a 086 357
local root exploit	9
	1svgalib 092 189 1sperl 054 20000902 20001013 20001122b 403
format string vulnerability	8
	139 028 590 584 521 411 522 258
cross-site scripting	7
	351 126 533 355 125 371 147
failing function and TLB flush	5
	454 453 456 514 466
missing privilege release	5
	430 405 462 665 655
insecure temporary directory	5
	488 352 583 544 630
directory traversal	5
	534 346 344 209 499
insecure temporary file creation	5
	160 279 483 477 292
buffer overflows, integer overflow	4
	571 313 306 618
local privilege escalation	4
	20001121 276 270 20001118a
infinite loop	4
	586 255 261 613
heap overflow	4
	567 435 404 505
printf format attack	3
	057 072 061
remote DoS	3
	077 068 093
insecure execution	3
	296 293 284
arbitrary program execution	3
	036 158 204
insecure tempfile handling	3
	011 037 019
information leak	3
	431 180 253
missing function return value check	3
	438 444 441
insecure file creation	3
	540 446 283
remote buffer overflow	3
	127 013 012
missing HTML quoting	3
	251 250 249
arbitrary code execution	3
	192 490 164
missing boundary check	3
	417 413 427
buffer overflows, denial of service	3
	378 380 315
remote denial of service	3
	129 20001120a 035
possible remote exploit	3
	20001014a 20001014b 20001118
SQL injection	3
	347 229 338
remote DoS / exploit	3
	131 132 133
integer and stack overflow	2
	560 561
multiple vulnerabilities	2
	425 307
doubly freed memory	2
	145 233
vulnerable to symlink attack	2
	19980317a 19980317e
design flaw	2
	666 692
arbitrary command execution	2
	207 203
char-to-int conversion	2
	278 290
Buffer Overflow	2
	081 082
possible remote vulnerability	2
	382 383
local file overwrite	2
	039 056
integer overflow, buffer overflow	2
	348 297
symlink vulnerability	2
	108 553
remote command execution	2
	178 219
Cryptographic weakness	2
	273 269
improper setuid-root execution	2
	310 299
/tmp file creation problem	2
	19990823b 19990823c
remote root exploit in dhcp client	2
	20000728 20000628
invalid free(3)	2
	569 556
unauthorized file access	1
	114
open mail relay	1
	437
change default umask	1
	063
multiple remote exploits	1
	136
CRLF injection	1
	210
broken maintainer script	1
	015
local insecure crontab handling	1
	024
missing directory validation	1
	574
buffer overflow, directory traversal	1
	416
remote root exploit (and others)	1
	089
insecurely opens files in /tmp	1
	19980531
missing random seed	1
	152
sendmail 8.8.5 follows hardlinks when writing /var/tmp/dead.letter	1
	19970325a
buffer overflow, weak security	1
	042
misinterprets ISINDEX queries	1
	19980827e
influencing login	1
	091
buffer overflows and information leak	1
	026
insecure temporary files / directories	1
	620
buffer overflows and memory leak	1
	228
missing user input validation	1
	564
remote command invocation	1
	078
arbitrary file access	1
	600
remote unauthorized access	1
	055
local buffer overflow	1
	20001122c
unauthorized gathering of data	1
	080
Denial of service vulnerabilities in bind	1
	19991116
Root exploit in eterm	1
	19990218
buffer overflow, giving access to group games	1
	19980613
Symlink attack	1
	19990612
missing return value check	1
	660
/tmp race in sail	1
	19980828d
talkd does not check hostname length	1
	19970127
incorrect permissions	1
	335
ASN.1 parsing vulnerability	1
	394
libc NLSPATH buffer overflow	1
	19970213
inetd passes privileged groups on to subprocesses	1
	19970325b
remote DOS & potential buffer overflow	1
	029
3 remote exploits	1
	073
potential buffer overruns	1
	19980317c
proftpd running with incorrect userid, erroneous file removal	1
	032
remote root exploit in wu-ftpd	1
	20000623
unsafe temp file	1
	19981118
improperly sanitised input	1
	420
remote vulnerability	1
	422
Denial of service in 2.2-series kernel	1
	19990607
remote compromise	1
	20000910
improper variable initialization	1
	117
tftpd allows retrieval of files with ".." in their path	1
	19970323
local DoS	1
	20001125
local root exploit, remote client exploit	1
	119
Local root exploit	1
	101
faxsurvey script executes arbitrary commands	1
	19980827a
insufficient input validation	1
	617
password expiration	1
	421
buffer overflow and more	1
	224
arbitrary script execution	1
	156
ignored counter boundary	1
	245
cryptographic weakness	1
	429
remote exploit in htdig	1
	19991209
buffer overflow and format string attack	1
	014
root exploit in splitvt	1
	20000605a
source code disclosure	1
	170
buffer overflows in proftpd	1
	19991111a
buffer overflows, format string	1
	277
symlink attack in apcd	1
	20000201
problem with very long pathnames	1
	19980909
missing quoting, incomplete parser	1
	294
Buffer overflow in some FTP servers	1
	19990210
missing input validation, wrong calculation	1
	396
request-route used a lock file in /tmp	1
	1modutils
incorrect memory resizing	1
	289
local tempfile vulnerabilities	1
	023
insecure packet filtering rules	1
	389
buffer overflow / DoS	1
	135
Rare problem with corrupted file permissions	1
	19990823
local printf format attack	1
	058
Potential buffer overflow	1
	100
Uncontrolled program execution	1
	097
missing input validation processing	1
	538
"teardrop" attack	1
	1teardrop
buffer overflow, integer overflow	1
	651
routed permits remote user file overwrite	1
	19980317d
opens files in /tmp in an unsecure manner	1
	19980708
Security problem with temp file handling.	1
	19990215
access control problem and root exploit	1
	20000109
local insecure tempfile creation	1
	022
DoS attack	1
	104
Buffer overflow in sperl 5.003	1
	19970417
remote denial of service if using sendsys report mechanism	1
	19980828b
buffer overflow with very long paths	1
	19980922
wrong signal handler	1
	606
broken dropping of privileges	1
	052
possible shadow file compromise	1
	20000816
missing escape	1
	541
users can see files they shouldn't	1
	19991030
GNU tar sometimes unintentionally creates setuid-root executables.	1
	19970206a
The imapd, pop2d and pop3d servers allow remote, unauthenticated root access.	1
	19970302
Security problems corrected in new upstream version	1
	19990804
sort and tac vulnerable to symlink attack	1
	19980217
insecure /tmp file	1
	1xfree3
improper character escaping	1
	088
/tmp file attack	1
	1doom
cheating with detached signatures, circumvention of web of trust	1
	20001225b
uucp uid/gid access	1
	079
privilege leak	1
	418
Buffer overflow in INN inews program	1
	19990907
out of bound access	1
	498
buffer overflow, symlink problem, ".." directory traversal	1
	121
buffer overflows, miscellaneous security updates	1
	19990422
bypassing safe_mode, CRLF injection	1
	168
remote users can read files with webserver uid	1
	20000227
multiple problems	1
	212
math overflow errors	1
	263
The "screen" program overflows when copying the gecos field.	1
	19970220
symbolic link can be used to change file permissions	1
	19990331a
Multiple vulnerabilities in linux kernel	1
	3
race condition	1
	20001008
buffer overflows, arbitrary command execution	1
	364
information exposure	1
	223
SuperProbe (of XFree86) contains a number of buffer overflow	1
	19970304
displaying files despite lack of permissions	1
	19980508b
buffer overflows in bootpd and ftp	1
	19990104
Still remotely exploitable using buffer overflow	1
	20000830
incorrect input handling	1
	395
Improper handling of symlink permissions	1
	19990220
remotely triggered memory allocation error	1
	130
cookie path traversal	1
	459
stack overflow	1
	231
There is a vulnerability in PHP/FI, a NCSA httpd cgi enhancement	1
	19970416
Incorrect permissions on xmonisdn	1
	19990807
missing filename validation	1
	264
insecure permissions, spurious backup file	1
	230
Shell meta-characters permitted	1
	19980211
privacy escalation with Konqueror	1
	155
Buffer overflow	1
	19990823a
potential buffer overflow executable	1
	19980317b
root compromise in ftpwatch	1
	19990117
settings not honored	1
	605
daemon exploit	1
	102
Remote exploit	1
	067
buffer overflows and format string vulnerabilities	1
	148
Script problem in mc	1
	1mc
buffer overflows allowing local root access	1
	19980828a
file creation and corruption bug in XConsole	1
	19980509
potentially allows local root exploits	1
	19980827b
source disclosure	1
	225
problem with su	1
	19980513
session ID spoofing	1
	319
IRC session hijacking	1
	099
Buffer overflow in older versions of cfingerd	1
	19990806
buffer overflow causing potential remote root exploits, denial of service	1
	19980401
setuid ncurses programs allow opening arbitrary file	1
	19980827d
Vulnerability in POP-2 daemon	1
	19990607a
creates user "ftp" unauthorized	1
	19981126
buffer overflow in klock, kvt saves config as root	1
	19980530a
broken image handling	1
	464
failure to drop root privileges	1
	330
programming error	1
	585
remote exploit in ssh	1
	19991215a
buffer overflows in minicom if suid	1
	19980901
possible local exploit in mtr	1
	20000309
incorrect internal variable handling	1
	551
Missing PAM support	1
	025
incorrect signature verification	1
	20001111
insecure file handling, format string bug	1
	20001225a
rlogin doesn't check $TERM's length.	1
	19970206b
IP spoofing attack "land"	1
	1land
does not drop its root privileges	1
	19981207
broken boundary check and more	1
	115
mail group exploit in mailx	1
	20000605
buffer overflow, format string	1
	375
illegal file exposition	1
	150
denial of service, bounce-scanning	1
	363
untrustworthy privileged binaries	1
	20001121a
buffer overflows, file and directory exposure	1
	392
bug in capabilities handling allows root exploits	1
	20000612
insecure file permissions	1
	537
symlink attack in make	1
	20000217
buffer overflow, insecure tempfile handling, denial-of-service attack	1
	030
buffer overflow in the NFS server	1
	19991111
insecure socket creation	1
	1xfree
format strings	1
	401
format print vulnerability	1
	107
Buffer overflow in amd	1
	19990924
Buffer overflow in amd -- update	1
	19991018a
wrong file permissions	1
	555
insecure file handling	1
	1xfree2
allows remote to send arbitrary characters to local terminal	1
	19980508a
remote misuse of printer	1
	20001119
buffer overflow in qpopper	1
	19991215
broken privileges dropping, broken tempfile	1
	050
Command Execution Via URLs Vulnerability	1
	20000830a
Format string vulnerability	1
	085
buffer overflow, incorrect permissions	1
	316
possible buffer overflows in nslookup and dig	1
	19980905
information leak, integer underflow	1
	659
missing argument check	1
	503
buffer overflow in ftpd	1
	20000719
INN 1.5 parsecontrol	1
	1parsecontrol
Information Retrieval	1
	084
sudo allowed users to run any root command	1
	19980112b
cross-site scripting, directory traversal	1
	674
input validation bug	1
	386
remote exploit in nmh	1
	20000229
insufficient protection	1
	20001220
memory corruption	1
	071
incorrect file removal in boot script	1
	20000108
buffer overflows and other bugs	1
	227
unsafe mailcap configuration	1
	342
Root exploit in cron	1
	19990830
cross site code execution and privilege escalation	1
	153
missing filename validation, SQL injection	1
	419
symbolic link can be used to make any file world readable	1
	19990331
computer virus	1
	1bliss
buffer overflow in logging	1
	19981210
unauthenticated access	1
	512
Buffer overflow in lsof	1
	19990220a
insecure tempfile bug, broken mod_rewrite	1
	021
problem restoring symlinks	1
	19991202
It may be possible to make metamail execute arbitrary commands	1
	19970409
unauthorized escalation of privilege (update)	1
	20000821
Vulnerability in XFree86	1
	19970702a
cross-realm	1
	476
mail user privilege escalation	1
	259
unauthorized remote code execution	1
	20000719b
integer overflows, missing input validation	1
	608
remote printf format attack	1
	049
unexpected _javascript_ execution	1
	051
remote nobody exploit	1
	018
exposes contents of local file	1
	20001009
malicious mails can execute arbitrary code	1
	19980827c
insecure tempfile	1
	038
information exposure, cross site scripting	1
	246
pipe exposure	1
	151
amd ignores nodev option	1
	19970407
unauthorized password change	1
	271
Denial of Service in Sendmail	1
	19991207
bug in access control mechanism	1
	20000619
remote file append/creation	1
	065
Buffer overflow in super.	1
	19990215a
unauthorized port forwarding	1
	1ssh
weak hostname and username validation	1
	634
cross-site scripting vulnerability	1
	109
insecure file access	1
	656
improper input handling	1
	144
root exploit in cfingerd	1
	19990814
UUCP exploit under smail	1
	19980112a
Vulnerability in elm	1
	19970702b
broken file permissions	1
	664
insecure signal handling	1
	083
buffer overflow, format string bugs	1
	449
various security problems in nis	1
	19991027
pre-set password	1
	554
null pointer dereference	1
	558
buffer overflow in mountd	1
	19980904
root exploit	1
	20000919
opens files in /tmp insecurely	1
	19980530b
remote Denial of Service	1
	20001112
multiple security problems	1
	047
missing privilege dropping	1
	557
weak administrator authentication	1
	19990623
failure to drop privileges	1
	484
reported exploit in dump	1
	20000328
malloc error (double free)	1
	122
temp file creation and format string	1
	016
remote DOS and remote information leak	1
	020
root compromise	1
	19980829
missing initialisation	1
	580
gzexe allows running arbitrary programs	1
	19980514
local root vulnerability	1
	095
format string vulnerability and buffer overflow	1
	098
standard buffer overrun(s) in minicom	1
	19970210
cross-site scripting hole	1
	094
Incorrect directory name handling in mirror	1
	19991018
ACL bypass	1
	474
insecure program execution	1
	377
vulnerable to a denial of service	1
	19980828c
serious security violation	1
	177
unauthorized escalation of privilege	1
	20000812
broken safe compartment	1
	208
temporary directory vulnerability	1
	539

Attachment: signature.asc
Description: Digital signature