oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

From: Joshua Rogers <oss () internot info>
Date: Mon, 17 Nov 2014 07:59:14 +1100
On 17/11/14 07:43, Michal Zalewski wrote:

However, even if tools like file/ndisasm/gimp/readelf can be used by

many (w/o strong system isolation boundaries) to analyze untrusted
inputs (for reverse engineering, malware analysis and similar
purposes) - I'd simply put a blame on those users

Well, it's always the easy option, but keep in mind that there are
countless tutorials that tell people to use 'file' or 'strings' to
examine sketchy file, or use tools such as objdump to do hobby
forensics.

I agree with Michal on this.
It's like saying Ritchie's fault for the fact that C does not have
inbuilt bound checking, allowing for buffer overflows...

I won't really expand on this, but my opinion is that _any_ program that
is 'trusted', such as `file' and `strings', that contains a flaw in it
that could pwn the running user, is a security risk.

I'll also add, from the `file' manpage:

  There has been a file command in every UNIX since at least Research
Version 4 (man page dated November, 1973).  The System V version intro‐
     duced one significant major change: the external list of magic
types.  This slowed the program down slightly but made it a lot more
flexible.

`file' is also used by internals of most programs that handle any input
too. Or some variant of it(probably libmagic).


And one last point.. `vlc' is used with untrusted input(i.e .mp4s, avis,
mp3s, etc.). If somebody gets pwned because they try to watch a video
they download, is it their fault?..

Thanks,
-- 
-- Joshua Rogers <https://internot.info/>
Previous By Date Next
Previous By Thread Next

Current thread: