lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTimTdNe8G5W7EU7GzRocZKDS1dZoeY664bmg0dK9@mail.gmail.com>
Date: Tue, 17 Aug 2010 09:54:15 -0400
From: Dan Rosenberg <drosenberg@...curity.com>
To: Henri Salo <henri@...v.fi>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: FuzzDiff tool

Henri,

> You have temporary file vulnerability in FuzzDiff
> (5b6b5c6c22c1103b4169b9fe6e7bfbc3
> c0ce0235f8f0026988c60a3217233c36d829ecdf). Maybe you want to use
> this module: http://docs.python.org/library/tempfile.html

This is a good example of the difference between a quick and dirty
script for accomplishing a simple task and a piece of production-ready
software.  FuzzDiff belongs to the first category.  I'm well aware of
what constitutes safe vs. unsafe temporary file usage, and I'll admit
that FuzzDiff does not use temporarily files safely by default.  I
would wager a guess that most homegrown scripts designed for personal
use aren't especially concerned with such things.  Seeing as there are
a number of parameters to tune in the script, I assumed that if you're
running this on a production system with multiple users (why?!?!) you
would simply change the path of the temporary file to one within your
home folder, for example.  Calling unsafe temporary file usage in a
script like this a "vulnerability" may be a bit of a stretch.  On the
other hand, it couldn't hurt to fix it, so I did.

> Please open bug-tracker for FuzzDiff and put the program under some
> version controlling software.

FuzzDiff is now hosted on Google Code at:
http://code.google.com/p/fuzzdiff/

Feel free to file bugs or feature requests there.  The temporary file
usage is fixed.  Ok, sure, if you have a world-writable /tmp directory
without a sticky bit, it may still be vulnerable.  Let's not get
nit-picky here.

Thanks,
Dan


>
> Best regards,
> Henri Salo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkxqiQQACgkQXf6hBi6kbk8/7wCgx4m4Wyv6i9GVfc9rNMLatDAW
> TQ4An1AqwYBkdJoCJ/7BefGFWXanIfSa
> =l+p+
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

On Tue, Aug 17, 2010 at 9:05 AM, Henri Salo <henri@...v.fi> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 26 Jul 2010 16:53:28 -0400
> Dan Rosenberg <drosenberg@...curity.com> wrote:
>
>> Hello,
>>
>> I'd like to announce FuzzDiff, a simple tool to help make crash
>> analysis during file format fuzzing a bit easier.  I'm sure many
>> people have written similar tools for their own purposes, but I
>> haven't seen any that are publicly available.  Hopefully at least one
>> person finds it useful.
>>
>> When provided with a fuzzed file, a corresponding original un-fuzzed
>> file, and the path to the targeted program, FuzzDiff will selectively
>> "un-fuzz" portions of the fuzzed file while re-launching the
>> application to monitor for crashes.  This will yield a file that still
>> crashes the target application, but contains a minimum set of changes
>> from the original, un-fuzzed file.  This can be useful in pinning down
>> the exact cause of a crash.
>>
>> The tool is written in Python and currently only works on Unix-based
>> systems, since it monitors for crashes by checking for SIGSEGV.  It
>> also assumes that the target program adheres to the syntax "[program]
>> [args] [input file]".  Both of these limitations can be easily worked
>> around.  The code is hardly what I'd call production-ready, but it
>> gets the job done.
>>
>> The tool is available at:
>> http://vsecurity.com/resources/tool
>>
>> Happy hacking,
>> Dan Rosenberg
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ