ARGUSBug - Argus Seg Faults When Analyzing Wireless PCAP File

Tue Feb 5 01:08:22 EST 2008

Hey Mathew,
Your/our problem is not like that.  We were crashing before reading any
data on the wire, as the interface type was unknown to argus().  But,
no program is completely immune from getting garbage and having to
deal with it.  We do a pretty good job of that, and the network helps  
a great
deal in that if its on the network, its has passed a number of checks.
(length, format, type, etc...).

Argus doesn't have to run as root, we support setuid() and setgrp()
calls to 'degrade' its capabilities, and if it does have to run as root
for whatever reason, you can control where it functions on your
system using chroot().  Check out the argus.conf file in ./common/Config
and you'll see what support we have.

Carter

On Feb 4, 2008, at 11:23 PM, Mathew Brown wrote:

> Hi Carter,
>
>  Thank you for your super fast fix.  I tried it out and it looks like
>  it's working fine (no seg faults).  However, this does bring about a
>  question:  if argus is listening on a network interface and a user is
>  able to send it unexpected input, could they crash your argus sensor
>  (seg fault it) and possibly worse - since argus is usually run as the
>  super user?  Of does argus by default protect and report __bad
>  traffic__ with the wireless pcap below being an exception?  Thanks.
>
> On Mon, 4 Feb 2008 22:01:24 -0500, "Carter Bullard" <carter at qosient.com 
> >
> said:
>> Hey Mathew,
>> Did you get a chance to test the new argus-3.0.0.tar.gz that is on  
>> the
>> server?
>> Carter
>>
>>
>> On Feb 1, 2008, at 12:05 AM, Mathew Brown wrote:
>>
>>>> Description:
>>> 	
>>> Argus Seg Faults When Analyzing Wireless PCAP File
>>>
>>> I ran into a pcap file when reading the article: "Wireless  
>>> Forensics:
>>> Tapping the Air - Part Two" -
>>> http;//www.securityfocus.com/print/infocus/1885.  The actual pcap  
>>> file
>>> can be downloaded directly from here:
>>> http://www.raulsiles.com/downloads/VoIP_roaming_session.zip  After
>>> unzipping, running:
>>>
>>> argus -r merged_voip_roaming_session.pcap -w
>>> merged_voip_roaming_session.pcap.argus
>>>
>>> would give me the error:
>>>
>>> Segmentation Fault
>>>
>>>> How-To-Repeat:
>>>
>>>  See Description
>>>
>>>> Fix:
>>>
>>>  None that I know of.
>>>
>>>> Submitter-Id:  None
>>>> Originator:    mathewbrown at fastmail.fm
>>>> Organization:	None
>>>> ARGUS support: none
>>>> Release:       argus-3.0
>>>> Product:       argus
>>>> Synopsis:      Argus Seg Faults When Analyzing Wireless PCAP File
>>>> Class:	        sw-bug
>>>> Severity:      non-critical
>>>> Priority:      low/medium
>>>
>>>> Environment:   <machine, os, target, libraries (multiple lines)>
>>>
>>> System:  Linux deb 2.6.22-grml #1 SMP PREEMPT Tue Jul 10 00:35:57  
>>> CEST
>>> 2007 i686 GNU/Linux
>>>
>>>
>>> Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
>>> /usr/bin/gcc
>>>
>>> ARGUS:   Argus Version 3.0.0
>>> RA:      Ra Version 3.0.0.rc.68
>>>
>>>
>>> GCC:     Using built-in specs.
>>> Target: i486-linux-gnu
>>> Configured with: ../src/configure -v
>>> --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr
>>> --enable-shared --with-system-zlib --libexecdir=/usr/lib
>>> --without-included-gettext --enable-threads=posix --enable-nls
>>> --with-gxx-include-dir=/usr/include/c++/4.1.3 --program-suffix=-4.1
>>> --enable-__cxa_atexit --enable-clocale=gnu --enable-libstdcxx-debug
>>> --enable-mpfr --enable-checking=release i486-linux-gnu
>>> Thread model: posix
>>> gcc version 4.1.3 20080114 (prerelease) (Debian 4.1.2-19)
>>>
>>> LIBC:
>>> lrwxrwxrwx 1 root root 11 2007-12-14 13:55 /lib/libc.so.6 ->
>>> libc-2.7.so
>>> -rwxr-xr-x 1 root root 1356012 2007-12-07 11:38 /lib/libc-2.7.so
>>> -rw-r--r-- 1 root root 3030784 2007-12-07 11:39 /usr/lib/libc.a
>>> -rw-r--r-- 1 root root 238 2007-12-07 11:11 /usr/lib/libc.so
>>>
>>> PS.  I had trouble sending the report using argusbug due to SMTP  
>>> being
>>> unavailable, so I'm sending it via web mail.  I also tried running  
>>> it
>>> through argus on my Fedora 8 box and it would also seg fault.
>>> -- 
>>> Mathew Brown
>>> mathewbrown at fastmail.fm
>>>
>>> -- 
>>> http://www.fastmail.fm - The professional email service
>>>
>>>
> -- 
>  Mathew Brown
>  mathewbrown at fastmail.fm
>
> -- 
> http://www.fastmail.fm - The way an email service should be
>
>