Re: DJB's students release 44 *nix software vulnerability advisories

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: DJB's students release 44 *nix software vulnerability advisories
From: Jonathan Rockway <jrockw2@xxxxxxx>
Date: Tue, 21 Dec 2004 21:50:46 -0600
In-reply-to: <Pine.LNX.4.58.0412211456120.5237@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.A41.4.58.0412201706570.241672@xxxxxxxxxxxxxxxxx> <Pine.LNX.4.58.0412211456120.5237@xxxxxxxxxxxxxxxxxxxxxxxxx>

Hello everyone.

On 21 Dec 2004, at 1:59 PM, David F. Skoll wrote:

 If you have /bin/sh installed, I can send you a shell
script FROM THE NETWORK that will give me root access if you run it.
Therefore, every UNIX system on Earth has a remote hole, according to
your definition.

/bin/sh exists to run shell commands. That is the purpose of theshell. NASM, on the other hand, is designed to create object filesfrom assembly files. If NASM starts running arbitrary code on yourmachine, it's doing something unauthorized. That is a security hole.By typing "nasm file.S" you are not intending to authorize the authorof file.S to take over your account, right?

Also, could you please show me this shell script you speak of? All theshell scripts I know of that give me root access require me to type theroot password. If you have found a way around this, then you arecorrect, "every UNIX system on Earth has a remote hole". :)

You (not you personally, but many people from whom I received a reply)seem to think that "local" and "remote" are indicators of severity, butthat's just not the case. The NASM hole I discovered, for example, isnot very severe. I estimate that a total of 0 users will have theiraccounts compromised via this hole. But the possibility exists for aremote user to compromise an account, so it is called remote. Localholes require a local user to do something special, like write aprogram that closes fd 2 and execs chsh (the intent being for chsh toopen /etc/passwd under fd 2, and then write somethingattacker-controlled to "stderr" which is actually /etc/passwd.)


Summary: Local exploits are bad.  Remote exploits are bad.

milw0rm' writes:

> > "for you to assemble"
> Its a user error.  Your not remotely exploiting anything but the trust
> from the user.

The user trusts NASM to not wipe their homedir. NASM is betraying theuser's trust.

Many University classes utilize an assignment submission mechanism thatautomatically compiles and runs submitted programs. The execution ofthe compiled code is done in a jail, but the compiling is not (becauseit's hard to get all the compiler executables and resource files intothe jail). The NASM bug allows someone to compromise the system in thecompiling stage.

Even if the compile step were done in a jail, the attacker could removethe NASM binary, causing the system to not work for other users. It,therefore, IMPOSSIBLE to build a secure auto-grading system that usesNASM.


Wesley Shields writes:

> This is far from a remote vulnerability.  That's like posting some
> tainted shellcode in an exploit and waiting for people to blindly

> compile and run it. Stupid users blindly running untrusted code isnot

> a remote vulnerability.

Yes, but stupid users compiling said code and being compromised IS avulnerability. If you run the executable that NASM produces, you getwhat you deserve. Merely compiling it, though, should not allowarbitrary code to be executed.

(This raises the question, "why would you compile it and not run it?"to which I don't have a good answer. This detail limits the impact ofthis particular bug.)


Roger A. Grimes writes:

> Do you want us to be thankful because you did not commit an illegal
> crime?

No, I want you to be aware that some people aren't interested in theacademic value of security research. They want to 0wn b0x3n, and theyare doing that without our help. Were this NASM exploit useful inspreading viruses, it probably would have been discovered by amalicious cracker and used to create botnets that relay spam.

Also, I am of the belief that laws do not equal safety. You can tellme all you want that I can't hack your network, but until you deploysecure software, you are vulnerable. Hacking your network is onlyillegal if I get caught.

If you use secure software, however, it is, by definition, physicallyimpossible for you to be hacked. I would rather protect my data bymaking it impossible to get at than by imprisoning anyone that tries toget it. (For every one that you catch, how many do you miss?)

And finally, in regards to "responsible disclosure", here is the patchfor NASM:


old: vsprintf(buff, fmt, arg);
new: vsnprintf(buff, 1024, fmt, arg);

Setting buff[1023] to '\0' is a good idea, since vsnprintf won't dothat if vsprintf(buff, fmt, args) generates 1024 bytes.

Be careful to not let a user supply fmt, however, since that would leadto a format string vulnerability which would allow an attacker to writeto any byte in memory. :-)


Regards,
--
Jonathan Rockway <jrockw2@xxxxxxx>

Follow-Ups:
- Re: DJB's students release 44 *nix software vulnerability advisories
  - From: Michal Zalewski
- Re: DJB's students release 44 *nix software vulnerability advisories
  - From: Casper . Dik

References:
- Re: DJB's students release 44 *nix software vulnerability advisories
  - From: Jonathan T Rockway
- Re: DJB's students release 44 *nix software vulnerability advisories
  - From: David F. Skoll

Prev by Date: Re: DJB's students release 44 *nix software vulnerability advisories
Next by Date: Re: DJB's students release 44 *nix software vulnerability advisories
Previous by thread: Re: DJB's students release 44 *nix software vulnerability advisories
Next by thread: Re: DJB's students release 44 *nix software vulnerability advisories
Index(es):
- Date
- Thread