Message-Id: <B1C068C5-DD6F-406D-BA2D-C6F685416F7C@gmail.com>
Date: Tue, 9 May 2017 09:34:23 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: fulldisclosure@...lists.org,
 oss-security@...ts.openwall.com
Subject: [FD] Numerous FreeTDS crashes fixed on master

Attached is a zip file of reported TDS streams that cause segmentation faults in the FreeTDS library. The ‘tsql’ binary was used for the fuzzing, so these most likely only affect client-side functionality. These have been resolved on master and the 1.0 branch.

Also included in the zip file is a bucket.txt, a crashwalk db dump detailing the crashes for the files in the zip file.

You can find the bucket.txt itself in the following Github gist as well. No CVE’s have been requested.

https://gist.github.com/brandonprry/bfb0e58682d464e2d2d319644790bdf5 <https://gist.github.com/brandonprry/bfb0e58682d464e2d2d319644790bdf5>

To test, you can compile FreeTDS, then use preeny to redirect network IO to stdin/stdout.

export LD_PRELOAD=~/preeny/x86_64-linux-gnu/desock.so
unzip freetds_crashed.zip
cd rpt
for i in id*; do valgrind ~/freetds/build/src/apps/tsql -S 127.0.0.1 -U fdsa -P fdsa -I ~/tdsconfig < $i; done

A simple tdsconfig file can be used to speed things up a bit.

[global]
timeout = 1
connect timeout = 1


Many thanks to Frediano Ziglio, the maintainer of FreeTDS, for quick communication and bug fix turn arounds.


Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists