Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
The idea was to find buffer overflows in privileged programs in Debian that potentially allow for privilege escalation by a local user.
I did this by building a list of all suid/sgid programs in Debian packages. I then tried using http://sharefuzz.sourceforge.net/
against those privleged executables. This tool attempts to test all the environment variables in a program by replacing the variables used with suitably long strings (eg, an 8K long string). If the program in question crashes when using these environment variables, then this might indicate a buffer overflow and may be potentially exploitable leading to privelege escalation. The way an attacker would use this would be to gain code execution by crafting the environment variable before executing the suid program. The malicious code execution would from an attackers point of view run with the privileges of the suid/sgid binary.
I did this testing on most of the suid/sgid (ie privileged) programs in Debian and found 3 programs exited with a SIGSEGV indicating that at a minimum it was an abnormal exit and quite possibly a buffer overflow. I reported these crashes to the package maintainers but left it to them to determine the consequences and exploitability. 2 of the crashes were sgid games which is quite a low level of increased privilege, but one of the crashes was suid root. These packages are all non default, so again the impact of any vulnerability is reduced.
This kind of testing is good for Debian security and provides some comfort to me at least knowing this class of vulnerability has been tested for against the privleged programs in the Debian repository.
I also started doing this kind of testing against regular packages in Debian, but I do not think it is relevant to the security list and has much lesser value in general, even though it would be nice to say that programs don't crash when we arbitrarily change the environment.
On Tue, Jan 18, 2011 at 9:50 PM, Kees de Jong <email@example.com>
I don't quite follow your endeavor. Could you enlighten me (us) a bit more? Why are you doing this? And what benefit does this information serve us?
Kees de Jong
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren.
The information contained in this message may be confidential and is intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.