Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs

[Silvio Cesare <silvio.cesare@gmail.com>]

The idea was to find buffer overflows in privileged programs in Debian that potentially allow for privilege escalation by a local user.

 

I did this by building a list of all suid/sgid programs in Debian packages. I then tried using http://sharefuzz.sourceforge.net/ against those privleged executables. This tool attempts to test all the environment variables in a program by replacing the variables used with suitably long strings (eg, an 8K long string). If the program in question crashes when using these environment variables, then this might indicate a buffer overflow and may be potentially exploitable leading to privelege escalation. The way an attacker would use this would be to gain code execution by crafting the environment variable before executing the suid program. The malicious code execution would from an attackers point of view run with the privileges of the suid/sgid binary.

I did this testing on most of the suid/sgid (ie privileged) programs in Debian and found 3 programs exited with a SIGSEGV indicating that at a minimum it was an abnormal exit and quite possibly a buffer overflow. I reported these crashes to the package maintainers but left it to them to determine the consequences and exploitability. 2 of the crashes were sgid games which is quite a low level of increased privilege, but one of the crashes was suid root. These packages are all non default, so again the impact of any vulnerability is reduced.

 

This kind of testing is good for Debian security and provides some comfort to me at least knowing this class of vulnerability has been tested for against the privleged programs in the Debian repository.

 

I also started doing this kind of testing against regular packages in Debian, but I do not think it is relevant to the security list and has much lesser value in general, even though it would be nice to say that programs don't crash when we arbitrarily change the environment.

 

--

Silvio Cesare

On Tue, Jan 18, 2011 at 9:50 PM, Kees de Jong <keesdejong@gmail.com> wrote:

Sorry Silvio,


I don't quite follow your endeavor. Could you enlighten me (us) a bit more? Why are you doing this? And what benefit does this information serve us?



--
Kind regards,
Kees de Jong

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren.
--
The information contained in this message may be confidential and is intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.

On Tue, Jan 18, 2011 at 03:49, Silvio Cesare <silvio.cesare@gmail.com> wrote:

I environment variable fuzzed the Debian 5.05 repository consisting of the following binaries:

https://github.com/silviocesare/Automated-Audits/blob/master/Debian5.05/EnvironmentVariableFuzzing/05-01-2011/PrivilegedProgramList

This is roughly most but not quite all SUID/SGID programs in Debian. There were some package conflicts which meant I didn't get complete automated coverage of the repository.

I used the public sharefuzz tool which tries using long environment variables to trigger buffer overflows. I had three crashes and reported bugs for each:

toppler http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608979
lbreakout2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608980
zhcon http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608981

Any followup comments should CC me.

--
Silvio Cesare