oss-sec mailing list archives

Re: Re: strings / libbfd crasher

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 15 Nov 2014 12:17:49 -0800

OTOH the "most" part in "most compression utilities" is somewhat
questionable. There are quite a number of them. E.g. File Roller supports
arj, lha, zoo...


Sure, I mean, the stuff people normally download and click on without
hesitation (tar, gz, zip, xz, 7z). There are hundreds of less common
tools and libraries that are probably awful.

The default operation of
/usr/bin/strings and the way many people ended up using it arguably
violates that assumption in a particularly pronounced way. Tools such
as objdump are a bit of a grey area, too.


Why is that? I think using objdump to analyze malware is quite common.


Oh, I meant that it's still a bit sketchy (maybe less than 'strings'
because the untrusted input use case is a lot more specialized and
fewer people are at risk).

[...tcpdump...]


Not good. Haven't you looked into it -- are these crashes due to malformed
pcap format or due to malformed traffic?


Both, IIRC. There are some test cases that come with afl-fuzz.

BTW any crash in imagemagick during image processing is regarded as a
security issue? Probably a grateful target for fuzzing.


Well... probably? For example, some sites use ImageMagick to convert /
resize user-uploaded images. One would hope that they check file
headers and only accept JPEG / GIF / PNG or so, but that's probably
not universally true.

Now, the quality of the *average* OSS project is probably comparable
to libbfd, but the average OSS project is probably less likely to be
exposed to untrusted inputs under normal operating conditions.


Sorry, I don't understand your stance. There is a whole world of desktop
tools and applications -- from `file` and `strings` to LibreOffice and
Blender. And most of them process files received from untrusted sources.


I wouldn't describe LibreOffice as a typical example. It's obviously
security-critical. What I mean is that, across all the packages
installed on your system, most bugs are fairly irrelevant from the
security perspective - i.e., it probably doesn't matter if you can
crash uname or ps by passing AAAAAAA... in the command line.

/mz

Current thread:

Re: Re: strings / libbfd crasher, (continued)
- - - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 02)
    - Re: Re: strings / libbfd crasher Hanno Böck (Nov 02)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Nov 02)
    - Re: Re: strings / libbfd crasher Jann Horn (Nov 02)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Nov 04)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 11)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Nov 11)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Nov 11)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 15)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Nov 15)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 15)
    - Re: Re: strings / libbfd crasher mancha (Nov 03)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Nov 03)
    - Re: Re: strings / libbfd crasher mancha (Nov 03)
    - Re: strings / libbfd crasher cve-assign (Nov 04)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
    - Re: Re: strings / libbfd crasher mancha (Nov 05)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
    - Re: strings / libbfd crasher cve-assign (Nov 12)
  - Re: Re: strings / libbfd crasher Alexander Cherepanov (Oct 26)

(Thread continues...)