| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Aug 2010 09:54:15 -0400 From: Dan Rosenberg <drosenberg@...curity.com> To: Henri Salo <henri@...v.fi> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: FuzzDiff tool Henri, > You have temporary file vulnerability in FuzzDiff > (5b6b5c6c22c1103b4169b9fe6e7bfbc3 > c0ce0235f8f0026988c60a3217233c36d829ecdf). Maybe you want to use > this module: http://docs.python.org/library/tempfile.html This is a good example of the difference between a quick and dirty script for accomplishing a simple task and a piece of production-ready software. FuzzDiff belongs to the first category. I'm well aware of what constitutes safe vs. unsafe temporary file usage, and I'll admit that FuzzDiff does not use temporarily files safely by default. I would wager a guess that most homegrown scripts designed for personal use aren't especially concerned with such things. Seeing as there are a number of parameters to tune in the script, I assumed that if you're running this on a production system with multiple users (why?!?!) you would simply change the path of the temporary file to one within your home folder, for example. Calling unsafe temporary file usage in a script like this a "vulnerability" may be a bit of a stretch. On the other hand, it couldn't hurt to fix it, so I did. > Please open bug-tracker for FuzzDiff and put the program under some > version controlling software. FuzzDiff is now hosted on Google Code at: http://code.google.com/p/fuzzdiff/ Feel free to file bugs or feature requests there. The temporary file usage is fixed. Ok, sure, if you have a world-writable /tmp directory without a sticky bit, it may still be vulnerable. Let's not get nit-picky here. Thanks, Dan > > Best regards, > Henri Salo > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkxqiQQACgkQXf6hBi6kbk8/7wCgx4m4Wyv6i9GVfc9rNMLatDAW > TQ4An1AqwYBkdJoCJ/7BefGFWXanIfSa > =l+p+ > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ On Tue, Aug 17, 2010 at 9:05 AM, Henri Salo <henri@...v.fi> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 26 Jul 2010 16:53:28 -0400 > Dan Rosenberg <drosenberg@...curity.com> wrote: > >> Hello, >> >> I'd like to announce FuzzDiff, a simple tool to help make crash >> analysis during file format fuzzing a bit easier. I'm sure many >> people have written similar tools for their own purposes, but I >> haven't seen any that are publicly available. Hopefully at least one >> person finds it useful. >> >> When provided with a fuzzed file, a corresponding original un-fuzzed >> file, and the path to the targeted program, FuzzDiff will selectively >> "un-fuzz" portions of the fuzzed file while re-launching the >> application to monitor for crashes. This will yield a file that still >> crashes the target application, but contains a minimum set of changes >> from the original, un-fuzzed file. This can be useful in pinning down >> the exact cause of a crash. >> >> The tool is written in Python and currently only works on Unix-based >> systems, since it monitors for crashes by checking for SIGSEGV. It >> also assumes that the target program adheres to the syntax "[program] >> [args] [input file]". Both of these limitations can be easily worked >> around. The code is hardly what I'd call production-ready, but it >> gets the job done. >> >> The tool is available at: >> http://vsecurity.com/resources/tool >> >> Happy hacking, >> Dan Rosenberg > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists