On Tue, Aug 30, 2005 at 09:14:45PM +0100, Steve Kemp wrote:
>
> Inspired by Ulf's bug report in simple-proxy which was DSA-786
> I had a look at a couple more proxy servers.
(...)
> It would be nice to scan all binaries using "syslog", but I
> can't think of an obvious way to do it - short of grepping for
> the "openlog" / "syslog".
It might be better to scan all _sources_ for syslog calls and do a
'grep -v %s' to find those that might be vulnerable to this format string
attacks.
Consider the attached program that extracts the source packages of a local
mirror to a directory and runs rats, flawfinder et al in them.
I've slightly modified it today (only minimal testing though) so you can use
it to both scan sources and binary packages in a local mirror pool for a
given string.
You can run it like this to have it scan all the pool in gluck:
$ perl generate-report-string.pl -d -B -s "syslog"
/org/ftp.root/debian/pool/main/
Notice that the reports can be _big_. For example, looking for "/tmp"
in the _binary_ packages results in ~450Mbs of reports (in ~32,300 files)
For example, to sort the information and remove obvious false positives or
point out to possible issues in I used additional scripts (attached too).
What i would really love is to have some place that would automatically
maintain a pool of the Debian sources in order to do these searches
faster. That syncs with the pool from time to time and knowns how to use
things like cdbs and yada to generate proper (patched) Debian sources that
can be grepped (or searched) when you are investigating a security vuln.
Having that information crossreferenced would be a plus and being able to
find files that are _almost_ close duplicates would be even better and would
provide a way to find when a given vulnerability, patched in some program
source A, is present in program B since it has reused some files from A.
This is _very_ common in the OSS world.
Baring that, the attached scripts can generate a report in about 5 hours
in my 2GHz / 512MB system. Reviewing the report certainly takes much more
time.
So, anyone have hardware and/or time to spare? :-)
Regards
Javier
generate-report.pl
Description: Text Data
generate-report-string.pl
Description: Text Data
find-probunsafe.sh
Description: Bourne shell script
review-reports.sh
Description: Bourne shell script
sort-pack.pl
Description: Text Data
signature.asc
Description: Digital signature
_______________________________________________
Debian-audit mailing list
Debian-audit@xxxxxxxxxxxxx
http://shellcode.org/mailman/listinfo/debian-audit
| 
