Re: Analyze binary for holes

From: Karma (steve_at_frij.com)
Date: 07/31/03

  • Next message: Ronish Mehta: "Re: Password Cracking Challenge..." 
    Date: Thu, 31 Jul 2003 09:18:48 +1000
To: Peter Bondra <olafandjasper@hushmail.com>, vuln-dev@securityfocus.com

    The most effective way is to debug the executables, and look for vulnerable
    function calls.
    Check that it does (or does not) check for boundaries for potential buffer
    overflows.
    Check that the writer has not ignored and directly accessed rewritable
    memory space, instead of using format strings when dealing with strings etc.

    SUID roots et al, gives a way for a vulnerable program to be exploited for
    privilege escalation, it does NOT mean the program IS vulnerable, although
    it could be.

    HTH, kind regards

    ----- Original Message -----
    From: "Peter Bondra" <olafandjasper@hushmail.com>
    To: <vuln-dev@securityfocus.com>
    Sent: Wednesday, July 30, 2003 2:20 AM
    Subject: Analyze binary for holes

    Hello
    I am interested in how you may go about analyzing a binary file to
    determine potential format string or buffer overflow holes.

    The platforms I am testing are: SunOs Solaris 2.7/8/9(SPARC) and Windows
    NT/2000/XP.

    This is my process, maybe you could direct and fill in the massive blanks:

    UNIX:
    In the unix world my first step is to list out the SUID-root files.
    My next step is to identify which files have potential vulnerabilities.
    On the Unix side I have used strings, but what does that tell me about.
    I have seen a few mallocs, callocs, and things that look like a format
    string for a printf... But not sure what to do next...SO I was thinking
    of brute forcing the binary command line args and/or environmental vars
    to see if I can dump core..

    Can you identify potential format string vulnerabilities from binary?
    Can you identify potential buffer overflow vulns. from binary?

    WINDOWS:
    I have no idea how to recognize a vulnerable program in the Windows
    word.Is there anything like SUID-roor, etc??

    Thanks

  • Next message: Ronish Mehta: "Re: Password Cracking Challenge..."

    Relevant Pages

    • [REVS] Perl Format String Vulnerabilities
      ... Perl Format String Vulnerabilities ... Format string vulnerabilities in C programs have been studied extensively ... It should be noted that Perl's taint checker does not catch some variants ...
      (Securiteam)
    • [Full-disclosure] [ MDVSA-2009:234-1 ] silc-toolkit
      ... Affected: Enterprise Server 5.0 ... Multiple format string vulnerabilities in lib/silcclient/client_entry.c ... Mandriva Enterprise Server 5/X86_64: ...
      (Full-Disclosure)
    • [ MDVSA-2009:234-1 ] silc-toolkit
      ... Affected: Enterprise Server 5.0 ... Multiple format string vulnerabilities in lib/silcclient/client_entry.c ... Mandriva Enterprise Server 5/X86_64: ...
      (Bugtraq)
    • Wind/U
      ... I've been waiting for some discussion on vulnerabilities introduced to ... Unix by applications that use various Windows API porting techniques. ... it appears that the windu components that come with the ...
      (Vuln-Dev)
    • [Full-disclosure] [ MDVSA-2009:234 ] silc-toolkit
      ... Multiple format string vulnerabilities in lib/silcclient/client_entry.c ... SILC Client before 1.1.8, allow remote attackers to execute arbitrary ... Mandriva Linux 2008.1/X86_64: ...
      (Full-Disclosure)