OpenBSD developer, Florian Obser, has written about fuzzing ping(8) and finding a 24 year old bug. The utility ping(8) is about the simplest networking utility there is and it has been around in one for or another since the early 1980s. Yet some things were hiding which were exposed by running the Afl fuzzer:
Afl uses files to feed data to programs to get them to crash or otherwise misbehave. I had wondered for a few years how I could use afl with things that talk to the network. Because that's what I mostly work on. In hindsight it's quite obvious. You identify the main parsing function, wrap it in a new main() function and Robert is your father's nearest male relative.
The two main takeaways from this are: One, if someone messes up somewhere, go look if you messed up in the same or similar way somewhere else. Two, afl is pretty easy to use, even for network programs. 30 minutes from reading about afl for the first time to finding a bug in a real world program is pretty neat.
Next up, cat(1) ?
Via Undeadly.
Related Stories
OpenBSD developer, Florian Obser, has written a detailed post on privilege drop, privilege separation, and restricted-service operating mode in OpenBSD. The BSD-derived operating project, OpenBSD, has been at the forefront of mitigation techniques, for decades now. Florian discusses what OpenBSD has now, and how it got there and provides examples.
Prologue
My main focus in OpenBSD are privilege separated network daemons running in restricted-service operation mode. I gave talks at BSDCan and FOSDEM in the past about how I used these techniques to write slaacd(8) and unwind(8). While I do not think of myself as a one-trick pony, I have written some more: slowcgi(8), rad(8), dhcpleased(8), and gelatod(8). I also wrote the first version of what later turned into resolvd(8).
At one point I claimed that it would take me about a week to transmogrify one daemon into a new one.
Why
Privilege drop, privilege separation, and restricted-service operating mode are exploit mitigations. When1 an attacker finds a bug we try to stop them from causing damage. The mitigations we are talking about here are aimed at attackers that achieved arbitrary code execution. Due to other mitigations that is quite difficult to pull off. These are the last line of defence. We try to remove as many resources from the attacker to play with and try to crash the program as quickly as possible if an attacker touches something they are not supposed to.
Previously:
(2022) Fuzzing Ping(8) ... and Finding a 24 Year Old Bug
(2021) Recent and Not So Recent Changes in OpenBSD That Make Life Better
(2018) OpenBSD Chief De Raadt Says No Easy Fix For New Intel CPU Bug
(2017) Kernel Address Randomized Link in OpenBSD
(2014) Bob Beck gives a 30-day status update on LibreSSL
And many more.
(Score: 0) by Anonymous Coward on Saturday December 10, @10:52PM (4 children)
Source code:
echo "HELLO WORLD"
(Score: 3, Funny) by KritonK on Sunday December 11, @08:23AM (3 children)
Here you go:
--- hello.sh.orig 2022-12-11 10:21:48.783833225 +0200
+++ hello.sh 2022-12-11 10:21:44.975810805 +0200
@@ -1 +1 @@
-echo "HELLO WORLD"
+echo "HELLO, WORLD."
(Score: 3, Informative) by maxwell demon on Sunday December 11, @11:42AM (2 children)
You didn't fix the most blatant bug: The shouting. Oh, and your patch is incorrect because it doesn't contain the indentation.
Corrected patch:
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Corelli's A on Sunday December 11, @03:45PM (1 child)
If the program is addressing the world, it needs to look at the locale and use the correct language and appropriate greeting. Otherwise, it should just say, "Hello, United States."
(Score: 2) by KritonK on Monday December 12, @10:57AM
Reminds me of GNU Hello [gnu.org], which supports command line arguments, localization, has a configuration script, and who knows what else. The current version is 2.12, so even this simple program seems to be almost impossible to write correctly!
(Score: 4, Interesting) by bzipitidoo on Saturday December 10, @11:45PM
24 years? Would that be about the time IPv6 was being introduced? Why, yes, yes it would. Do IPv4 only versions of ping from before 1998 have this bug?
(Score: 2) by epitaxial on Sunday December 11, @05:29AM (2 children)
Can't wait until the not invented here crowd gets a hold of ping.
(Score: 2) by driverless on Sunday December 11, @07:50AM
I would say ping is more fluffy than fuzzy [wikipedia.org] though.
(Score: 2) by turgid on Sunday December 11, @06:29PM
The systemd dude? That should be fun!
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Interesting) by PinkyGigglebrain on Sunday December 11, @05:19PM (1 child)
a buffer overflow that caused ping to crash when using a seldom used feature with a long text string..
And only in the freeBSD version of ping, though I didn't notice any mention one way or the other if the bug is still in the GNU/Linux, full UNIX, or Windows implementations.
I should note that I only gave the article a cursory reading so I might have missed something so any corrections will be appreciated.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 1) by shrewdsheep on Sunday December 11, @05:51PM
TLDR; is this the ping-of-death again?