Vulnerability Research

As part of my PhD research I perform automated vulnerability discovery. Many of the discovered vulnerabilites have low impact because the audits are performed across entire distributions and obscure packages tend to make up the bulk of the reports. However, occasionally something important appears vulnerable such as a vulnerability in security enhanced postgresql in Fedora 13. I discovered about 30 vulnerabilites across Debian 5 and Fedora 13.
As part of a quick and dirty test of Linux security I environment variable fuzzed the SUID/SGID programs in Debian 5.05 in the month of January 2011. It resulted in 3 crashes, excluding assertion failures, but that doesn't necessarily imply they are vulnerable.
 

And for some fun I grepped the Debian 5.05 repository of SUID/SGID programs for

simple argv based string buffer overflows and found a vulnerability in xdigger

 

You can find more simple audits like the one that found xdigger at https://github.com/silviocesare/Automated-Audits/


I also perform manual source code review. This is a partial list of vulnerabilities I have been involved in resolving. In 2003 I also presented at Ruxcon and Blackhat on the auditing work. More vulnerabilities can be found following those links.

Snort IP Fragment TTL Evasion, May 2008

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=701

This vulnerability was determined by IDefense as one of the most significant vulnerabilities in 2008 receiving 3rd prize in their 2008 VCP challenge.
It is now more than two years since the vulnerability was resolved, so it is now possible to release the proof of concept exploit and advisory I originally sent IDefense.

ClamAV integer overflow, Dec 2007 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=658

 

http://freshmeat.net/articles/view/539/

http://security.freebsd.org/advisories/FreeBSD-SA-02:38.signed-error.asc

http://rhn.redhat.com/errata/RHSA-2002-206.html

http://www.ethereal.com/appnotes/enpa-sa-00007.html

http://rhn.redhat.com/errata/RHSA-2002-210.html

 

            Security patches (partial list)

            From Linux

http://www.cs.helsinki.fi/linux/linux-kernel/2002-29/0676.html

http://www.cs.helsinki.fi/linux/linux-kernel/2002-30/0395.html

http://www.cs.helsinki.fi/linux/linux-kernel/2002-30/0626.html

http://www.cs.helsinki.fi/linux/linux-kernel/2002-32/0110.html

http://www.cs.helsinki.fi/linux/linux/kernel/2002-29

http://www.cs.helsinki.fi/linux/linux/kernel/2002-31

   From FreeBSD

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/uipc_syscalls.c

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/i386/isa/vesa.c

            From OpenBSD

http://www.squish.net/pipermail/owc/2002-August/00380.html

From NetBSD CVS

syssrc/sys/arch/lun68k/dev/lunafb.c

syssrc/sys/arch/arm/iomd/vidcvideo.c

syssrc/sys/arch/amiga/dev/grf_cv3d.c

syssrc/sys/compat/ibcs2/ibcs2_stat.c

syssrc/sys/dev/sun/bt_subr.c

syssrc/sys/dev/tc/cfb.c

syssrc/sys/dev/tc/sfb.c

syssrc/sys/dev/tc/xcfb.c

syssrc/sys/arch/hpcmips/dev/ite8181.c

syssrc/sys/arch/hpcmips/dev/mq200.c

syssrc/sys/arch/i386/i386/sys_machdep.c

 
ċ
snort_spp_frag3_ttl_limit_evasion.tgz
(206k)
Silvio Cesare,
Jan 31, 2010, 9:17 PM
Comments