| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Oct 2006 07:08:36 +0100 From: Niall FitzGibbon <fitzgibbon@...eyonder.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: Insecurity Stats via Google Code Search I found that seaching for malloc\(.*\*\ ?sizeof reveals some pretty spurious allocations in popular C++ libraries, including the GNU stdlib, STLport and boost: http://www.google.com/codesearch?q=+malloc%5C(.*%5C*%5C+%3Fsizeof+show:CV5ZQLb1y8c:USiLyGH-df8:QYz5w8os9fA&sa=N&cd=9&ct=rc&cs_p=http://www.cpan.org/authors/id/D/DB/DBURDICK/BoostGraph/Boost-Graph-1.2.tar.gz&cs_f=Boost-Graph-1.2/include/boost/wave/util/flex_string.hpp#a0 http://www.google.com/codesearch?q=+malloc%5C(.*%5C*%5C+%3Fsizeof+show:QGmWhkyqhVI:3da3jFnqsVw:Y8SUwBJwBdg&sa=N&cd=20&ct=rc&cs_p=http://gentoo.osuosl.org/distfiles/gcc-3.4.6.tar.bz2&cs_f=gcc-3.4.6/libstdc%2B%2B-v3/include/ext/malloc_allocator.h#a0 http://www.google.com/codesearch?q=+malloc%5C(.*sizeof%5C(+show:kBDGJP-vR7o:V93UVxMV9ro:Q7sOdtM9ue0&sa=N&cd=29&ct=rc&cs_p=http://gentoo.osuosl.org/distfiles/STLport-4.6.2.tar.gz&cs_f=STLport-4.6.2/stlport/stl/_valarray.h#a0 Haven't yet had a chance to check how vulnerable each of those are to integer overflow, or even that they're the latest versions of the libraries in question. I'm intrigued that he found so many format string vulnerabilities -- when I searched for them I mostly found vulnerable printfs being used inside test and debug code only, with the only obvious possible vulnerability being in the mailman logging system. On Sunday 08 October 2006 09:21, Gadi Evron wrote: > This isn't terribly shocking, and seems rather preliminary. Still, > very interesting. > > Jose Nazario worked out some numbers using the Google code search. > > http://monkey.org/~jose/blog/viewpage.php?page=google_code_search_stats > > Interesting quotes: > > some stats based on simple queries used to find bugs (ie based on some > reasonable regular expressions): > > * strcpy from argv[x]: about 7,000 > * strcat from argv[x]: about 1,000 > * PHP-based remote file include vulns: 117 or so using GET, 100 or so > for POST > * PHP-based SQL injection vulns: > o SELECT: about 600 using GET, about 500 using POST vars > o UPDATE: about 200 using GET, about 400 using POST vars > o DELETE: about 300 using GET, about 300 using POST vars > * PHP-based XSS vulns (it is the summer of file include, SQL injection > and XSS on bugtraq): about 2700 > o about 200 based on the info sent outside of the POST vars or > the URL requested (ie User-Agent fun) > o an additional 100 based on COOKIE variables ... > * *printf-based buffer overflows? about 202,000 possible, hopefully > lss! > * about 50 format string vulns revealed > * off-by-ones (as pointed out by aaron@)? about 300. > * CreateFileMapping NULL Security (using Ollie's idea but adjusted for > google codesearch): about 400 > > I also keep updating every search pattern I find, here: > http://blogs.securiteam.com/index.php/archives/663 > > Gadi. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists