ARGUSBug Unchecked length in ArgusGenerateRecordStruct causes SEGFAULT

Chris Benedict via Argus-info argus-info at lists.andrew.cmu.edu
Fri Aug 19 19:09:56 EDT 2016 

Carter,

Sounds good to me. I wasn't sure how you would like the bug fixed so I just
included something quick and dirty.

I also have a divide-by-zero bug I will be sending a report in for on
Monday.

Thanks for the quick response.

--
Chris Benedict
Prometheus Computing

On Aug 19, 2016 4:58 PM, "Carter Bullard" <carter at qosient.com> wrote:

> Hey Chris,
> Thanks for the bug report.  The condition that you are highlighting, where
> a flow record's label string is assumed to have length greater than zero,
> shouldn’t occur using argus and argus clients programs.  Sorry to see that
> you could provide a sample file that shows that it can :O(
>
> OK, so we are parsing input flow records, and the condition is that we
> have an ARGUS_LABEL_DSR, that doesn’t contain a valid label string.  The
> standard way to deal with parsing error conditions is to just keep
> processing, rather than throw an error exception.  If a DSR is corrupt, we
> assume the record is corrupt, and we toss the single record.  In your
> sample file, the record that has the bad label section, also doesn’t have a
> valid metrics section, so its pretty messed up.
>
> The fix that we are adding to the master distribution, causes us to toss
> the corrupted record and continue on, which then processes the other
> records that are in your sample file.
>
> Our recommendation is:
>
>   if (tlabel->hdr.argus_dsrvl8.len <= 0) {
>      retn = NULL;
>      break;
>   }
>
> If this satisfies, the fix will be in the next release.
> Carter
>
>
> > On Aug 19, 2016, at 5:54 PM, Chris Benedict via Argus-info <
> argus-info at lists.andrew.cmu.edu> wrote:
> >
> >> Description:
> >
> >   This issue was discovered with AFL (http://lcamtuf.coredump.cx/afl/).
> >
> >   Within ArgusGenerateRecordStruct() in common/argus_client.c at line
> 2834 the
> >   variable 'tlabel->hdr.argus_dsrvl8.len' is not checked. When set to 0
> as in
> >   the sample provided, it causes 'llen' to be set to a negative number.
> When
> >   passed to bzero() at line 2836 it causes a segmentation fault and
> causes the
> >   application to crash.
> >
> >   This bug is potentially exploitable. We request an appropriate CVE.
> >
> >> How-To-Repeat:
> >
> >   Download sample from:
> >   https://nfiles.nist.gov/seos/1000/mpd/ui27082016897c598e94f8f9febc46
> 82415276ed88
> >
> >   Execute with ra:
> >   ra -r sample
> >
> >   Please note, the file will only be available until August 26, 2016. If
> you
> >   encounter any difficulty please contact me at
> > c.benedict at prometheuscomputing.com.
> >
> >> Fix:
> >
> >   Add bounds checking to the relevant function at around line 2834 such
> as:
> >
> >   if (tlabel->hdr.argus_dsrvl8.len <= 0) {
> >      ArgusLog (LOG_ERR, "ArgusGenerateRecordStruct: pre
> > ARGUS_LABEL_DSR len is zero");
> >      break;
> >   }
> >
> >> Originator: Chris Benedict, Aurelien Delaitre, NIST SAMATE Project,
> https://samate.nist.gov
> >> Organization:
> > National Institute of Standards and Technology
> >> ARGUS support: none
> >> Release:       argus-3.0
> >> Product:       ra
> >> Synopsis:      Unchecked length in ArgusGenerateRecordStruct causes
> SEGFAULT
> >> Class:        sw-bug
> >> Severity:      serious
> >> Priority:      high
> >
> >> Environment:   Linux
> >
> > System:  Linux 4.7.0-1-ARCH #1 SMP PREEMPT Mon Aug 8 22:05:58 CEST
> > 2016 x86_64 GNU/Linux
> >
> >
> > Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
> > /usr/bin/gcc /usr/bin/cc
> >
> > ARGUS:   Argus Version 3.0.8.2
> > RA:      Ra Version 3.0.8.2
> >
> >
> > GCC:     Using built-in specs.
> > COLLECT_GCC=/usr/bin/gcc
> > COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/6.1.1/lto-wrapper
> > Target: x86_64-pc-linux-gnu
> > Thread model: posix
> > gcc version 6.1.1 20160802 (GCC)
> >
> > LIBC:
> > -rw-r--r-- 1 root root 4769020 Aug  6 05:17 /lib/libc.a
> > -rw-r--r-- 1 root root 255 Aug  6 05:16 /lib/libc.so
> > lrwxrwxrwx 1 root root 12 Aug  6 05:17 /lib/libc.so.6 -> libc-2.24.so
> > -rwxr-xr-x 1 root root 1951744 Aug  6 05:17 /lib/libc-2.24.so
> > -rw-r--r-- 1 root root 4769020 Aug  6 05:17 /usr/lib/libc.a
> > -rw-r--r-- 1 root root 255 Aug  6 05:16 /usr/lib/libc.so
> > lrwxrwxrwx 1 root root 12 Aug  6 05:17 /usr/lib/libc.so.6 ->
> libc-2.24.so
> > -rwxr-xr-x 1 root root 1951744 Aug  6 05:17 /usr/lib/libc-2.24.so
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160819/7e0470ea/attachment.html>

More information about the argus mailing list