Older blog entries for metaur (starting at number 53)

22 Oct 2005 »

I have found a pretty serious remote buffer overflow in the good old Lynx browser (plus some not security-related stuff). I have also found remote format string bugs in xine-lib and in weex (the latter was incorrectly reported to have been found by someone else).

The Nethack Linux distribution is definitely ready for the desktop ;)

Tools & Tips for auditing code (not for the clueless JT or PÖ people out there though)

I have a new job! I've been studying literature for a while, and the course was really interesting with good teachers and classic but readable books. I didn't really get to know the other students though - they found me really old and talked to me in that dinner-with-Grandpa tone of voice ("Yes, Grandpa, I go to church every Sunday. No, Grandpa, I never listen to any of that sinful jazz music."). Consequently, I've given up on it to work and earn some money again.

"Winter" from the first Tori Amos record is really moving. I've bought new records from Ladytron (!!), Broadcast and Sibiria, but I haven't listened to them enough yet to have an opinion.

26 Sep 2005 »

The chill of October (a great song by Client)

To keep on bullying^Wreviewing Linux distributions, I've installed Mandriva/Mandrakelinux/Mandrake Linux (whatever) now, as promised earlier. I found it stylish and helpful and equipped with a nice collection of software. On the other hand, I had some installation problems: it left me with a U.S. keyboard, X expected to find the mouse at /dev/mouse and not /dev/mouse0 so it couldn't access it at all, and I couldn't access the floppy drive either. All these problems were easy to solve, but seeing as they target newcomers to Linux, perhaps they should polish their installation system a bit more so people won't end up with a broken system. Some people don't want to use emacs to edit XF86Config, you know.

Vanity Fair

Some guy e-mailed me about one month ago and asked how to find vulnerabilities in software. (Respectable enough, as long as they don't ask "can u t3ach m3 2 b-c0m3 a 31337 h4xx0r" it's fine.) Here is an expanded version of my reply:

To find new vulnerabilities, first you need to know the programming language and environment well, so study C and so on if you don't. Theo de Raadt from OpenBSD says that security problems are quality problems with people making subtle mistakes, and you won't find those mistakes unless you know better than the original authors how things work.

Some people (JT!!) that asked this question earlier seemed to expect an answer of the type "look for all strcpy() calls". Unfortunately, there is no such answer, because it depends on the program. Functions like strcpy(), strcat(), sprintf(), strncpy(), strncat(), sscanf() and so on are sometimes buffer overflows, sometimes not. To do this well, you should learn C and not just look for certain strings in code that you don't understand at all.

You'll probably need a program for source code navigation, so you'll quickly find all places where an interesting function in the program gets called. Some nice open source programs for that include lxr, gonzui and cscope.

Some people also find automated scanning programs like flawfinder and rats helpful. I don't, really, but they might be worth checking out.

Good luck!

(That probably sounded horribly vain, but that goes with the genre, I guess. Is it even possible to write blogs or Internet diaries without sounding like you're bragging?)


"Whereof one cannot speak, thereof one must be silent." -- Ludwig Wittgenstein

28 Aug 2005 »

There are a few more write-ups of my Evolution vulnerabilities for SITIC: certa.ssi.gouv.fr || itsec.gov.cn

I have found a buffer overflow in good old Elm and the way it handles Expires headers in e-mail messages ( Secunia || Frsirt -- Critical! Yay! Their highest rating! || an exploit ).

I have also found a format string bug in simpleproxy that gets hit when remote HTTP proxies send back malicious data ( Secunia || Frsirt ).

abi: Did you know that The Trashmen's Surfin' Bird is a medley of two earlier songs? I thought that was weird, as it's such a primitive song (which might not be a bad thing, since it's rock music we're talking about).

16 Aug 2005 »

I don't think I've written about it here, but I had a summer vacation job doing security audits of code for SITIC this summer as well. I found several vulnerabilities in Evolution:

SITIC (our original text)
Secunia || nvd.nist.gov i ii || securitytracker.com || securiteam.com || frsirt.com || heise.de || seguridad.unam.mx || outpost24.com || linux.org.ru || actinet.cz
I'm quite proud!

If we move on to less commercial activities, Dirk has given me commit rights to Pavuk's CVS repository, so I've committed lots of fixes for the Pavuk code and the website.

Happy birthday, Debian!!

I've studied the Internet services LDAP and SNMP recently, to learn something new and broaden my horizons. LDAP is nice, but to me SNMP seems overly complex for what it does, but that sentiment may come from being an SNMP n00b that doesn't know what he's talking about.

I wrote about wanting to try some new Linux distributions earlier, and now I've finally done so. SUSE Linux has lots of programs and has a serious German quality engineering feel to it. On the downside, there's too much non-free software in it, and the fact that both KDE, GNOME and general X Window System installs seem to require all five CD's (instead of, say, putting GNOME stuff on disc 2-3 and KDE stuff on disc 4-5) wasn't a very good idea at all. Next victim up for ignorant mini-review: Mandrakelinux.

Questionable Content is an enjoyable web comic about the indie music scene and human relations.

31 Jul 2005 (updated 1 Aug 2005 at 07:18 UTC) »

The tale of the 26 year old bug

My mailx overflow patches are now accepted into OpenBSD. Finding obscure overflows in OpenBSD (these and one of the Apache bugs last year) makes my day, as these guys are the kings of finding overflows in C code.

Since mailx is an ancient program written by carving C code into stone with primitive knives tens of thousands of years ago when Sweden was uninhabitable and covered in ice [1], I downloaded a few files from The Unix Heritage Society to date the bugs. The scan() overflow was present both in 2BSD and 4.2BSD, making it 26 years old! The off-by-one bug in readtty() was present in 4.2BSD but not in 2BSD, making it a few years younger.


Secunia Research has found some vulnerabilities in Avast Antivirus's handling of ACE archives. They are "related" to my old bugs in unace.


I have done yet more patching of pavuk (potential overflows, noting Slovak text that should be translated, ...) after a long break. I have discovered the really nice supertux game (a Super Mario Bros/Giana Sisters clone starring Tux the penguin), and I've already completed playing all 26 main levels (boast boast) but not the bonus levels yet. I've also started auditing netcat on paper at the local Hugo's cafe. Paper auditing seems like a convenient technique which however must be limited to smaller programs, unless someone else pays for the printer paper and the toner.

The "Building an OpenBSD port" page has some security advice. Joachim Breitner has an interesting paper about his new Cross Site Auth attack.

Now I'll finish my laundry and then it's time to go back to the Blow up a Panda music festival for the second day.

"Dom ringde den feta killen / pervot i Happiness / jag var hans body-double / men jag var mer övertygande / jag gjorde en snabb karriär" (Vapnet - "Seymour")

[1] Some would say it still is. We had really nice weather in the beginning of July, though.

8 Jul 2005 »

As a follow-up to Michal Zalewski's HTML fuzzer called mangleme, I wrote a CSS fuzzer that generates lots of web pages with randomly broken style sheets. I tried running it for quite a while on several web browsers without finding any bugs at all. Oh well - now I've tried that too. I suppose this taught me a problem with blackbox auditing (no access to source code) in general - it's not obvious when you should stop. Perhaps the program would have found bugs in Internet Explorer (not terribly surprising given its history) if left running for a few more hours.

The off-by-one bug that I found in mailx earlier also exists in nail. You're not supposed to access buf[sizeof(buf)] - it's not a part of buf. I've also been auditing GNU Wget lately.

At least one guy thinks you're a guru if you audit code for Debian..

Lately I've seen Clem Snide and Erik Aschan Zürcher play live, and I've also celebrated the lovely Swedish summer by having some fun in general with people I know.

richdawe: One solution to this problem might be to package the broken HTTP requests or e-mail messages. If a server receives an e-mail message with two Content-Type headers, it should construct a new head with the Content-Type text/plain and put the entire broken message (head+body) in the body, so it is shown as text. That way, the users will get to read any potentially valuable textual information in the broken messages, but they won't be exposed to any vulnerabilities or bugs resulting from different programs parsing broken messages differently.

21 Jun 2005 »

As I wrote earlier, I've been auditing mailx, and since a week ago, I have some results to show - an off-by-one bug and a buffer overflow that depends on the value of BUFSIZ. I don't see any security implications to either of them, but they should be fixed anyway to avoid crashes and to improve the quality of the program.

mailx is just the first program on a long list that I've put together of networking programs that are included in many major Linux distributions and *BSD systems. Auditing all those programs will take a while, but it will help the open source community.

A while ago, I took the day off to go to Linköping to visit IT-ceum among other things. It's an ambitious computer museum, with exhibits old - ancient Datasaab computers from the 50's - and new - a documentary about today's game console demo scene. Don't miss it, if you're ever close to Linköping!

Since last writing here, I've seen Hello Saferide play her singer-songwriter music with lyrics about wanting to be a lesbian so you can fall in love with your best friend. I've also seen Jockum Nordström's exhibition at Moderna Museet, with his mixed media (including collage technique) and his mix of acceptable and unacceptable images abstractly symbolizing the relativism inherent in today's postmodern society. Or something. (Svart polotröja. Definitivt svart polotröja. Och fyrkantiga Blur-glasögon.)

avrietta: Good luck with getting in shape! It's hard work but it can be done.

6 Jun 2005 »

Debian 3.1 (sarge) is finally released on the Swedish National Day even (to acknowledge my and the other Swedes' contributions, or perhaps not). That will shut up some of the kids on Slashdot and similar sites. If etch will be released within a year or so, they might even shut up for good.

Here are some interesting quotes that I've found recently:

"I started working on OpenBSD, and many earlier projects, because I have always felt that vendor systems were not designed for quality. The primary goal of a vendor is to make money. In some industry markets, high quality can be tied to making more money, but I am sure by now all of us know the computer industry is not like that.

I guess it was later on that I came to realize that most security issues are simply a result of low quality. In OpenBSD and OpenSSH, and everything else, we therefore work very much on quality."

(Tuxjournal interviews Theo de Raadt)

"If you want to do the analysis yourself, it should be relatively easy (and you should do it for ALL network daemons, not just NNTP): look for places in the code where the programmer is reading data from the network without checking the bounds on his/her input buffer."

(Erik E. Fair on the Phage mailing list in, ahem, 1988. Phage was started to discuss the Internet Worm.)

I've sold some more records (Peaches, S.P.O.C.K, VNV Nation, Pavement, The Sounds and Tim Buckley). I've decided to stop using all recreational drugs (alcohol, tobacco and so on) - I enjoyed exploring and abusing those things in my twenties, but enough is enough. I've celebrated turning 0x22 years old by visiting the Bloggforum 2.0 conference (blogs are really hyped right now here in Sweden) and the rain and queue-infested but still enjoyable Popaganda music festival, where I especially enjoyed Slagsmålsklubben, Teitur, The Similou and Hundarna Från Söder.

titus: Thanks for the link (way back) to the htmltext paper. I think that's *the* right solution to the XSS problem. The programmer shouldn't have to do much to make data quoted - he or she should have to work to avoid quoting. Otherwise people will just forget to add quoting in some obscure corner of the code.

21 May 2005 »

I pronounce Linux as Linux

I audited some of the new packages in Debian, as listed in Debian Weekly News, without finding anything. I've also discovered the code browsing program lxr (there's also a package for lxr-cvs) and I'm using it to audit mailx right now. lxr is great - you just click on a function name, for instance, and it gives you information of the type: "Defined as a function in: * head.c, line 56 Defined as a function prototype in: * extern.h, line 160 Referenced (in 4 files total) in: [...]". Really useful!

Some people may question whether it's a good idea to spend parts of your spare time closely reading line after line of code in mailx. I find it both important and entertaining, and it fits in well with my idea of a programmer as a serious intellectual who's trying his or her hardest to reach high levels of quality. Sadly I haven't met many of those in the industry, on the other hand I'm not an engineer (I have a Bachelor of Arts degree in some obscure combination of subjects though), so some of the people who see things that way (my way) might dwell in companies that only hire engineers.

Here are some Debian related sites that are new to me at least: Non-free tracking system tracks the non-free packages in Debian and why they're non-free (the people who wrote these programs and their licenses like to boss people around, it seems). Debian Mentors lets non-DDs upload packages that others can download with apt-get.

Culture vulture

I went to SAMA 2005 after some hesitation, and it was worth it! Some highlights included Top Gun, Saft, Covenant, Howard Jones - uncool as that may be - and the dressed-up audience. I visited the local student club Pang Musik at Kalmar Nation as well and saw The Bright and Shiny, The Beep Kid and Jeans Team. I liked The Bright and Shiny the most, but the other bands were good as well.

I've read Carl-Johan Vallgren's "För herr Bachmanns broschyr" (värsta rättshaveristen!), and I'm currently reading Frans G. Bengtsson's "Röde Orm" about some Swedish vikings. Lots of humour and action so far.

5 May 2005 »

Debian Sarge freezeth! Hell freezeth over!! I've written one last comment on my ilohamail XSS bugs in Debian's bug tracking system. I'll probably not do anything Debian-related except reply to comments on my bugs until Sarge is out.

epiphany is a cool web browser. I'm using it exclusively nowadays without any problems. It seems faster than Galeon.

I've moved some crappy old Perl scripts ^W^W^W^WImportant E-commerce Solutions from the 90's from my old computer to the new one. I will install a bunch of different Linux distributions on the old one, starting with Mandrakelinux, to get more exposure to them.

gonzui is a nice program for browsing code. Apart from obviously being useful for programmers making quick changes in other people's code, it's also very useful for security audits. If you realize that function a() will have a buffer overflow if it's ever called with a first parameter longer than 1024 characters, you want to find and visit all places where a() gets called, and gonzui helps with that. If you place the mouse pointer over a variable name, it will also change colour of all instances of that variable on the screen. cscope is a program in the same genre which I haven't used much yet but which seems nice as well. I have a file somewhere where I have listed a bunch of those programs, but I have only tried gonzui and cscope so far. Any recommendations?

I'm mostly working on a boring essay these days. I'm living on bread and juice and I'm selling lots of records (Pixies, New York Dolls, Peaches, P J Harvey, Charlatans [tajt T-shirt liksom]) so I can afford visiting the synth music event SAMA in Gothenburg on, eh, Friday the 13th.

If this had been an Amaya diary, it would have had more angst.

ncm: You're replying to the wrong person, but thanks anyway.

44 older entries...

New Advogato Features

FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!