ARGUSBug - Argus Seg Faults When Analyzing Wireless PCAP File

Mathew Brown mathewbrown at fastmail.fm
Wed Feb 6 02:26:23 EST 2008 

Hi Carter,
  Thank you for the clarification.  Should I try to test it with other
  wireless pcaps to make sure they are covered or was the Prism chipset
  an exception?

On Tue, 5 Feb 2008 01:08:22 -0500, "Carter Bullard" <carter at qosient.com>
said:
> Hey Mathew,
> Your/our problem is not like that.  We were crashing before reading any
> data on the wire, as the interface type was unknown to argus().  But,
> no program is completely immune from getting garbage and having to
> deal with it.  We do a pretty good job of that, and the network helps  
> a great
> deal in that if its on the network, its has passed a number of checks.
> (length, format, type, etc...).
> 
> Argus doesn't have to run as root, we support setuid() and setgrp()
> calls to 'degrade' its capabilities, and if it does have to run as root
> for whatever reason, you can control where it functions on your
> system using chroot().  Check out the argus.conf file in ./common/Config
> and you'll see what support we have.
> 
> 
> Carter
> 
> 
> 
> On Feb 4, 2008, at 11:23 PM, Mathew Brown wrote:
> 
> > Hi Carter,
> >
> >  Thank you for your super fast fix.  I tried it out and it looks like
> >  it's working fine (no seg faults).  However, this does bring about a
> >  question:  if argus is listening on a network interface and a user is
> >  able to send it unexpected input, could they crash your argus sensor
> >  (seg fault it) and possibly worse - since argus is usually run as the
> >  super user?  Of does argus by default protect and report __bad
> >  traffic__ with the wireless pcap below being an exception?  Thanks.
> >
> > On Mon, 4 Feb 2008 22:01:24 -0500, "Carter Bullard" <carter at qosient.com 
> > >
> > said:
> >> Hey Mathew,
> >> Did you get a chance to test the new argus-3.0.0.tar.gz that is on  
> >> the
> >> server?
> >> Carter
> >>
> >>
> >> On Feb 1, 2008, at 12:05 AM, Mathew Brown wrote:
> >>
> >>>> Description:
> >>> 	
> >>> Argus Seg Faults When Analyzing Wireless PCAP File
> >>>
> >>> I ran into a pcap file when reading the article: "Wireless  
> >>> Forensics:
> >>> Tapping the Air - Part Two" -
> >>> http;//www.securityfocus.com/print/infocus/1885.  The actual pcap  
> >>> file
> >>> can be downloaded directly from here:
> >>> http://www.raulsiles.com/downloads/VoIP_roaming_session.zip  After
> >>> unzipping, running:
> >>>
> >>> argus -r merged_voip_roaming_session.pcap -w
> >>> merged_voip_roaming_session.pcap.argus
> >>>
> >>> would give me the error:
> >>>
> >>> Segmentation Fault
> >>>
> >>>> How-To-Repeat:
> >>>
> >>>  See Description
> >>>
> >>>> Fix:
> >>>
> >>>  None that I know of.
> >>>
> >>>> Submitter-Id:  None
> >>>> Originator:    mathewbrown at fastmail.fm
> >>>> Organization:	None
> >>>> ARGUS support: none
> >>>> Release:       argus-3.0
> >>>> Product:       argus
> >>>> Synopsis:      Argus Seg Faults When Analyzing Wireless PCAP File
> >>>> Class:	        sw-bug
> >>>> Severity:      non-critical
> >>>> Priority:      low/medium
> >>>
> >>>> Environment:   <machine, os, target, libraries (multiple lines)>
> >>>
> >>> System:  Linux deb 2.6.22-grml #1 SMP PREEMPT Tue Jul 10 00:35:57  
> >>> CEST
> >>> 2007 i686 GNU/Linux
> >>>
> >>>
> >>> Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
> >>> /usr/bin/gcc
> >>>
> >>> ARGUS:   Argus Version 3.0.0
> >>> RA:      Ra Version 3.0.0.rc.68
> >>>
> >>>
> >>> GCC:     Using built-in specs.
> >>> Target: i486-linux-gnu
> >>> Configured with: ../src/configure -v
> >>> --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr
> >>> --enable-shared --with-system-zlib --libexecdir=/usr/lib
> >>> --without-included-gettext --enable-threads=posix --enable-nls
> >>> --with-gxx-include-dir=/usr/include/c++/4.1.3 --program-suffix=-4.1
> >>> --enable-__cxa_atexit --enable-clocale=gnu --enable-libstdcxx-debug
> >>> --enable-mpfr --enable-checking=release i486-linux-gnu
> >>> Thread model: posix
> >>> gcc version 4.1.3 20080114 (prerelease) (Debian 4.1.2-19)
> >>>
> >>> LIBC:
> >>> lrwxrwxrwx 1 root root 11 2007-12-14 13:55 /lib/libc.so.6 ->
> >>> libc-2.7.so
> >>> -rwxr-xr-x 1 root root 1356012 2007-12-07 11:38 /lib/libc-2.7.so
> >>> -rw-r--r-- 1 root root 3030784 2007-12-07 11:39 /usr/lib/libc.a
> >>> -rw-r--r-- 1 root root 238 2007-12-07 11:11 /usr/lib/libc.so
> >>>
> >>> PS.  I had trouble sending the report using argusbug due to SMTP  
> >>> being
> >>> unavailable, so I'm sending it via web mail.  I also tried running  
> >>> it
> >>> through argus on my Fedora 8 box and it would also seg fault.
> >>> -- 
> >>> Mathew Brown
> >>> mathewbrown at fastmail.fm
> >>>
> >>> -- 
> >>> http://www.fastmail.fm - The professional email service
> >>>
> >>>
> > -- 
> >  Mathew Brown
> >  mathewbrown at fastmail.fm
> >
> > -- 
> > http://www.fastmail.fm - The way an email service should be
> >
> >
-- 
  Mathew Brown
  mathewbrown at fastmail.fm

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

More information about the argus mailing list