Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 15 Nov 2014 12:17:49 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Re: strings / libbfd crasher

> OTOH the "most" part in "most compression utilities" is somewhat
> questionable. There are quite a number of them. E.g. File Roller supports
> arj, lha, zoo...

Sure, I mean, the stuff people normally download and click on without
hesitation (tar, gz, zip, xz, 7z). There are hundreds of less common
tools and libraries that are probably awful.

>> The default operation of
>> /usr/bin/strings and the way many people ended up using it arguably
>> violates that assumption in a particularly pronounced way. Tools such
>> as objdump are a bit of a grey area, too.
>
> Why is that? I think using objdump to analyze malware is quite common.

Oh, I meant that it's still a bit sketchy (maybe less than 'strings'
because the untrusted input use case is a lot more specialized and
fewer people are at risk).

>> [...tcpdump...]
>
> Not good. Haven't you looked into it -- are these crashes due to malformed
> pcap format or due to malformed traffic?

Both, IIRC. There are some test cases that come with afl-fuzz.

> BTW any crash in imagemagick during image processing is regarded as a
> security issue? Probably a grateful target for fuzzing.

Well... probably? For example, some sites use ImageMagick to convert /
resize user-uploaded images. One would hope that they check file
headers and only accept JPEG / GIF / PNG or so, but that's probably
not universally true.

>> Now, the quality of the *average* OSS project is probably comparable
>> to libbfd, but the average OSS project is probably less likely to be
>> exposed to untrusted inputs under normal operating conditions.
>
> Sorry, I don't understand your stance. There is a whole world of desktop
> tools and applications -- from `file` and `strings` to LibreOffice and
> Blender. And most of them process files received from untrusted sources.

I wouldn't describe LibreOffice as a typical example. It's obviously
security-critical. What I mean is that, across all the packages
installed on your system, most bugs are fairly irrelevant from the
security perspective - i.e., it probably doesn't matter if you can
crash uname or ps by passing AAAAAAA... in the command line.

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.