ARGUSBug Unchecked length in ArgusGenerateRecordStruct causes SEGFAULT

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Fri Aug 19 19:27:30 EDT 2016


Hey Chris,
Keep those cards and letters coming !!!!
Have a great weekend,
Carter

> On Aug 19, 2016, at 7:09 PM, Chris Benedict <c.benedict at prometheuscomputing.com> wrote:
> 
> Carter,
> 
> Sounds good to me. I wasn't sure how you would like the bug fixed so I just included something quick and dirty.
> 
> I also have a divide-by-zero bug I will be sending a report in for on Monday.
> 
> Thanks for the quick response.
> 
> --
> Chris Benedict
> Prometheus Computing
> 
> 
> On Aug 19, 2016 4:58 PM, "Carter Bullard" <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> Hey Chris,
> Thanks for the bug report.  The condition that you are highlighting, where a flow record's label string is assumed to have length greater than zero, shouldn’t occur using argus and argus clients programs.  Sorry to see that you could provide a sample file that shows that it can :O(
> 
> OK, so we are parsing input flow records, and the condition is that we have an ARGUS_LABEL_DSR, that doesn’t contain a valid label string.  The standard way to deal with parsing error conditions is to just keep processing, rather than throw an error exception.  If a DSR is corrupt, we assume the record is corrupt, and we toss the single record.  In your sample file, the record that has the bad label section, also doesn’t have a valid metrics section, so its pretty messed up.
> 
> The fix that we are adding to the master distribution, causes us to toss the corrupted record and continue on, which then processes the other records that are in your sample file.
> 
> Our recommendation is:
> 
>   if (tlabel->hdr.argus_dsrvl8.len <= 0) {
>      retn = NULL;
>      break;
>   }
> 
> If this satisfies, the fix will be in the next release.
> Carter
> 
> 
> > On Aug 19, 2016, at 5:54 PM, Chris Benedict via Argus-info <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
> >
> >> Description:
> >
> >   This issue was discovered with AFL (http://lcamtuf.coredump.cx/afl/ <http://lcamtuf.coredump.cx/afl/>).
> >
> >   Within ArgusGenerateRecordStruct() in common/argus_client.c at line 2834 the
> >   variable 'tlabel->hdr.argus_dsrvl8.len' is not checked. When set to 0 as in
> >   the sample provided, it causes 'llen' to be set to a negative number. When
> >   passed to bzero() at line 2836 it causes a segmentation fault and causes the
> >   application to crash.
> >
> >   This bug is potentially exploitable. We request an appropriate CVE.
> >
> >> How-To-Repeat:
> >
> >   Download sample from:
> >   https://nfiles.nist.gov/seos/1000/mpd/ui27082016897c598e94f8f9febc4682415276ed88 <https://nfiles.nist.gov/seos/1000/mpd/ui27082016897c598e94f8f9febc4682415276ed88>
> >
> >   Execute with ra:
> >   ra -r sample
> >
> >   Please note, the file will only be available until August 26, 2016. If you
> >   encounter any difficulty please contact me at
> > c.benedict at prometheuscomputing.com <mailto:c.benedict at prometheuscomputing.com>.
> >
> >> Fix:
> >
> >   Add bounds checking to the relevant function at around line 2834 such as:
> >
> >   if (tlabel->hdr.argus_dsrvl8.len <= 0) {
> >      ArgusLog (LOG_ERR, "ArgusGenerateRecordStruct: pre
> > ARGUS_LABEL_DSR len is zero");
> >      break;
> >   }
> >
> >> Originator: Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov <https://samate.nist.gov/>
> >> Organization:
> > National Institute of Standards and Technology
> >> ARGUS support: none
> >> Release:       argus-3.0
> >> Product:       ra
> >> Synopsis:      Unchecked length in ArgusGenerateRecordStruct causes SEGFAULT
> >> Class:        sw-bug
> >> Severity:      serious
> >> Priority:      high
> >
> >> Environment:   Linux
> >
> > System:  Linux 4.7.0-1-ARCH #1 SMP PREEMPT Mon Aug 8 22:05:58 CEST
> > 2016 x86_64 GNU/Linux
> >
> >
> > Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
> > /usr/bin/gcc /usr/bin/cc
> >
> > ARGUS:   Argus Version 3.0.8.2
> > RA:      Ra Version 3.0.8.2
> >
> >
> > GCC:     Using built-in specs.
> > COLLECT_GCC=/usr/bin/gcc
> > COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/6.1.1/lto-wrapper
> > Target: x86_64-pc-linux-gnu
> > Thread model: posix
> > gcc version 6.1.1 20160802 (GCC)
> >
> > LIBC:
> > -rw-r--r-- 1 root root 4769020 Aug  6 05:17 /lib/libc.a
> > -rw-r--r-- 1 root root 255 Aug  6 05:16 /lib/libc.so
> > lrwxrwxrwx 1 root root 12 Aug  6 05:17 /lib/libc.so.6 -> libc-2.24.so <http://libc-2.24.so/>
> > -rwxr-xr-x 1 root root 1951744 Aug  6 05:17 /lib/libc-2.24.so <http://libc-2.24.so/>
> > -rw-r--r-- 1 root root 4769020 Aug  6 05:17 /usr/lib/libc.a
> > -rw-r--r-- 1 root root 255 Aug  6 05:16 /usr/lib/libc.so
> > lrwxrwxrwx 1 root root 12 Aug  6 05:17 /usr/lib/libc.so.6 -> libc-2.24.so <http://libc-2.24.so/>
> > -rwxr-xr-x 1 root root 1951744 Aug  6 05:17 /usr/lib/libc-2.24.so <http://libc-2.24.so/>
> >
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160819/4f84d97d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6285 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160819/4f84d97d/attachment.bin>


More information about the argus mailing list