Hosting Provided By

Re: A "straw man" vulnerability auditing checklist

From: Antonomasia <ant(at)notatla.demon.co.uk>
Date: Thu Dec 05 2002 - 19:03:49 EST

From: "Steven M. Christey" <coley@linus.mitre.org>

> This list is quite incomplete, as reflected in the version number and

It's quite handy but could do with an example in each section. Some faults could be categorised in a number of ways and it's hard to be sure the same fault doesn't appear twice under a different title. Also the list of titles may not help much - does

"3e. Missing/repeated/extra separator or delimiter" mean things like a PGP 2 fingerprint having different interpretations depending on key size ?

3. Syntax/grammar violation

Inadequate recognition of side-effects.

> Process/Command Execution

Do you need help?

IFS, LD_*, MALLOC_CHECK_ ... odd resource limits, CWD - perhaps aimed at the large subject of Unchecked Return Codes

resource-related failures like process slots/E2BIG => execve() failed but program proceeds in incorrect state

> 19. Information Leak

unknown usernames being logged

> 54. Insufficient Randomness

entropy doses added to a pool are too small

> 24a. Signal handler race condition

TOCTOU - signal sent to wrong process because of termination and PID reuse. What I'd like to see is one of:

PIDs lockable while you test (and perhaps signal) them
PIDs not promptly reused (These ideas might involve per-user quotas on number or rate.) If either of these exists and I'm unaware of it clobber me with APUE or something.

Do you need more help?

The best I know how to do now is:

Try to get the parent to do the killing. (The parent can get to know about termination through SIGCHLD.) (Instead of getting the correct PID and root access the problem now mostly consists of cimmunucating with the parent.)
Be non-root - send the signal from the same UID as the target process. (You might have to vary this if the other process is hostile and might try to kill you.)

Code for this is shown - what do people think ?

#!/usr/bin/perl -w

use IO::Handle;
use Fcntl;

# This is a wrapper to apply to services where termination
# is to be delegated to other users.
#
# The service starts and writes a file to $startfile.  It
# treats the presence of a file with the same name in the
# $stop_signs directory as an indication it should stop.
# Write permission to that directory can easily be given to
# a number of user accounts without the need for setuid code
# to run kill(2) or the opportunity to kill processes outside
# this scheme.
#
# I envisage the filemodes like this.
#  drwxr-xr-x   5 donut   donut   3072 Nov 12 08:48 /opt/donut
#  drwxr-xr-x   2 donut   donut   3072 Nov 12 08:48 /opt/donut/are_go
#  drwxrwxr-x   2 donut   donut   3072 Nov 12 08:48 /opt/donut/stop_signs
# The donut account will clear out old files from these periodically
# by other means such as cron.
# 
# This is vulnerable to disruptive behaviour by the users who have write
# permission to the $stop_signs directory.  You might combine this with
# logging via a setgid program that writes the entries to $stop_signs.

# definitions of control directories
#

$appdir="/opt/donut";
$are_go="$appdir/are_go";
$stop_signs="$appdir/stop_signs";

$tmpfile=sprintf("%d_%04d_%d", scalar time, rand(1000), $$);

$startfile=sprintf("%s/%s", $are_go, $tmpfile); $stopfile=sprintf("%s/%s", $stop_signs, $tmpfile);

# create a file to enroll the process in this scheme #
sysopen (FH,"$startfile",O_RDWR|O_CREAT|O_EXCL,0644)

or die("open $startfile $!");
# $startfile has adequate uniqueness for a directory writable by only owner.

$ppid=$$;
if ($pid = fork) {

   # parent
   #  This parent will quit if the (only) child has quit.
   #  Might be expanded to start (and count) multiple child processes.

   local $SIG{CHLD}=sub{exit(0)};
   #
   if (0==kill(0,$pid)) {

      # child dead already ?
      exit(0);

   }
   $signum=15;
   for (;;) {

       if (-f "$stopfile") {
           kill($signum,$pid);
           $signum=9;  # in case we loop again
       }
       sleep(10);

}
} else {

Can we help you?

die("fork !$") if ($$ == $ppid);

   # Writing the PID to the file helps users who know the PID they want
   # to kill (perhaps from ps) and want to find the name of the right
   # control file.

   printf(FH "%d\n", $$);
   close(FH);
   # or whatever service you want to run ....    exec("sar","5");
   die("exec $!");
}

-- 
##############################################################
# Antonomasia   ant notatla.demon.co.uk                      #
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
# See 
http://www.notatla.demon.co.uk/                        #
##############################################################

Received on Fri Dec 6 13:18:02 2002

This message: [ Message body ]
Next message: Kevin Spett: "Re: IIS session cookies"
In reply to Steven M. Christey: "A "straw man" vulnerability auditing checklist"
Reply: David Wheeler: "Re: secprog Digest 8 Dec 2002 02:29:20 -0000 Issue 121"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT