Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Silvio,
Ok, thank you for your explanation. You're doing a very good job for the security team!
Silvio Cesare <silvio.cesare@gmail.com> wrote:
>The idea was to find buffer overflows in privileged programs in Debian that
>potentially allow for privilege escalation by a local user.
>
>I did this by building a list of all suid/sgid programs in Debian packages.
>I then tried using http://sharefuzz.sourceforge.net/ against those privleged
>executables. This tool attempts to test all the environment variables in a
>program by replacing the variables used with suitably long strings (eg, an
>8K long string). If the program in question crashes when using these
>environment variables, then this might indicate a buffer overflow and may be
>potentially exploitable leading to privelege escalation. The way an
>attacker would use this would be to gain code execution by crafting the
>environment variable before executing the suid program. The malicious code
>execution would from an attackers point of view run with the privileges of
>the suid/sgid binary.
>I did this testing on most of the suid/sgid (ie privileged) programs in
>Debian and found 3 programs exited with a SIGSEGV indicating that at a
>minimum it was an abnormal exit and quite possibly a buffer overflow. I
>reported these crashes to the package maintainers but left it to them to
>determine the consequences and exploitability. 2 of the crashes were sgid
>games which is quite a low level of increased privilege, but one of the
>crashes was suid root. These packages are all non default, so again the
>impact of any vulnerability is reduced.
>
>This kind of testing is good for Debian security and provides some comfort
>to me at least knowing this class of vulnerability has been tested for
>against the privleged programs in the Debian repository.
>
>I also started doing this kind of testing against regular packages in
>Debian, but I do not think it is relevant to the security list and has much
>lesser value in general, even though it would be nice to say that programs
>don't crash when we arbitrarily change the environment.
>
>--
>Silvio Cesare
>On Tue, Jan 18, 2011 at 9:50 PM, Kees de Jong <keesdejong@gmail.com> wrote:
>
>> Sorry Silvio,
>>
>>
>> I don't quite follow your endeavor. Could you enlighten me (us) a bit more?
>> Why are you doing this? And what benefit does this information serve us?
>>
>>
>>
>> --
>> Kind regards,
>> Kees de Jong
>>
>> *
>> *
>> *De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>> uitsluitend bestemd voor de geadresseerde(n).
>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
>> gebruiken en de afzender direct te informeren door het bericht te
>> retourneren.
>> --
>> The information contained in this message may be confidential and is
>> intended to be exclusively for the addressee(s).
>> Should you receive this message unintentionally, please do not use the
>> contents herein and notify the sender immediately by return e-mail.
>>
>>
>>
>>
>>
>> *
>>
>>
>> On Tue, Jan 18, 2011 at 03:49, Silvio Cesare <silvio.cesare@gmail.com>wrote:
>>
>>> I environment variable fuzzed the Debian 5.05 repository consisting of the
>>> following binaries:
>>>
>>>
>>> https://github.com/silviocesare/Automated-Audits/blob/master/Debian5.05/EnvironmentVariableFuzzing/05-01-2011/PrivilegedProgramList
>>>
>>> This is roughly most but not quite all SUID/SGID programs in Debian. There
>>> were some package conflicts which meant I didn't get complete automated
>>> coverage of the repository.
>>>
>>> I used the public sharefuzz tool which tries using long environment
>>> variables to trigger buffer overflows. I had three crashes and reported bugs
>>> for each:
>>>
>>> toppler http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608979
>>> lbreakout2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608980
>>> zhcon http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608981
>>>
>>> Any followup comments should CC me.
>>>
>>> --
>>> Silvio Cesare
>>>
>>
>>
>>
>>
Reply to: