1) memory leak

If realloc fails, it returns NULL, but the original pointer doesn’t get freed, so it’s possible to be leaked. IF an attacker can trigger an arbitrary memory leak, it might be possible to cause a denial of service.

2) A common pattern combined with a missing null return check can lead to memory corruption.

Example:

size = old_size * 2
new_ptr = realloc(ptr, size);
//zero-fill the new memory
//if new_ptr returned null, corrupt memory at 0+old_size
bzero(new_ptr +old_size, size-old_size);

3)

If there are 2 pointers to a buffer, and one of the pointers gets realloced with a big enough amount, the returned pointer will be at a different address and the old buffer will be freed. Then the other pointer is dangling.

4)

Not unique to realloc, but with any allocation function, you’d also want to look for an integer overflow in the amount to alloc, leading to an unexpectedly small buffer and a heap buffer overflow.

5)

Integer overflow to bypass the realloc entirely.

Example:

if (a.length() + b.length() > a.capacity()) {
realloc(a.buffer, a.length() + b.length();
}
memcpy(a.buffer() +a.length(), b.buffer, b.length());

If an overflow happens at the if statement, the realloc will be bypassed and a buffer overflow will result.

This can lead to subtle errors, especially with the mod operation(%).

Example:

This program creates a buffer of user-specified length filled with ‘A’s, and overwrites one random character in the buffer with a ‘B’. If the user-specified length is 0, then it will write a ‘B’ to a random address, corrupting memory. This would be very unlikely to be exploitable, but it illustrates how memory corruption can occur when div by zero is not trapped, and you’re not expecting it. On Intel, the divide by zero would always result in a crash, with no possibility of anything worse.

$ cat test.c

int main(int argc, char **argv) {
    char * buf;    

    //user-supplied size for buf
    int untrusted_size = atoi(argv[1]);

    buf = malloc(untrusted_size);
    if (!buf) {
        exit(-1);
    }

    srandomdev();
    memset(buf, 'A', untrusted_size);

    //get a random number from 0 to untrusted_size-1
    //or if untrusted_size = 0, return a random number from 0 to RAND_MAX
    int rnd_index = random() % untrusted_size;
    printf("rnd_index = %d\n", rnd_index);
    buf[rnd_index] = 'B';
    printf("%s\n", buf);
    return 0;
}

$ ./a.out 10
rnd_index = 8
AAAAAAAABA

$ ./a.out 0
rnd_index = 2098236498
Segmentation fault

http://forums.macrumors.com/showthread.php?t=415723

http://discussions.apple.com/thread.jspa?threadID=1345931

http://www.howardforums.com/archive/topic/1288150-1.html

http://forums.wireless.att.com/cng/board/message?board.id=apple&message.id=16591

http://www.iphonematters.com/article/gophone_edge_issue_ends_up_being_att_not_apple_389/

As it turns out, it had nothing to do with iPhone 1.1.3. Apparently there was some kind of server side bug that removed the plan from our accounts.

So I call and ask what’s going on, and the tech support guy says for some reason the plan was removed, and he added it back on. Then I noticed that it was charging me per kilobyte for EDGE usage, even though I was on the unlimited plan. No one ever mentioned that that would happen.

I called back and they said it was a known issue that would be fixed that night. It wasn’t fixed until a week and a half later. I called a few times during the week and each time they said it would be fixed that night.

Things that were constant the whole week and a half each time I called, which suggest an endemic incompetence at AT&T:

• Despite the fact that this had happened to hundreds (maybe thousands?) of people, most AT&T employees, even in the prepaid department, seemed to not even know that this was going on, until I got to a higher level employee.
• The tech support people would promise various things that didn’t come true. “It’s going to be fixed tonight”, each time I called. One tech support person told me I was going to get 2 months free and then transferred me to someone else in billing who told me that was impossible and no one could do that.
• On every call I was bounced through several layers of peons before I got to someone who knew what was going on. For each layer, I had to reauthenticate myself by giving my phone number and pin or zip code. And I had to explain everything that had happened so far. They should cache the authentication and story thus far when passing someone off, but that would make too much sense.
• I could call one time and get one answer, and then call right back, get a different person, and get a totally different answer. Obviously at least one of them was just making stuff up. This happened at least twice.

In the end, the issue was fixed, and they credited my account for all the wasted money I was charged per kilobyte for the EDGE service. I think they also added like 5 bucks to my account. However, that doesn’t compensate me at all for the aggravation, lost service, and time wasted on the phone(about 2 hours).

One major issue with the GoPhone plan for iPhone is, they have NO WAY to really compensate you if something goes wrong. They charge you 50 bucks every month. This deposits $30 in your account, and 20 was for unlimited EDGE. If something goes wrong, they can add more money into your account. But most people don’t need any more money in their account, because they accumulate money in the account, assuming they use less than 200 minutes per month. What they need is to be charged less or not at all for the next month. I was told by the customer service person that that is impossible, that no one is authorized to defer or reduce someone’s monthly bill for prepaid. This was after I had been promised by someone else that it was possible.

On the positive side, the reps were reasonably polite and I didn’t have to wait on hold that long. They were just totally incompetent. I don’t think it’s necessarily unacceptable that this technical problem happened, but their handling of it from the customer service side was the worst customer service experience I’ve ever had.

Lessons learned:

• For every person you get passed to, make sure to get their name and department and write it down.

• If they promise you anything, ask them to add it to the notes for your account. A few times I was promised something, then that person transferred me to another person, and the new person said they didn’t see anything in the notes about the promise.
• AT&T sucks. I strongly recommend avoiding AT&T/Cingular if possible. Also, they seem to treat the prepaid users like second class citizens. This outage only affected prepaid users, and there was a similar one in December 2007 which only affected prepaid users.

Thanks a lot AT&T. I would absolutely leave AT&T, if it wasn’t for the fact that that would leave me with an expensive useless phone. (Yes, I could try to unlock it, but that has its own hassles)

BTW getting the phone activated was a similarly Kafkaesque experience.

This is an interesting article on sandboxing in Leopard.

It’s a feature which allows a user or administrator to limit the actions that a process can do to only the actions that it needs to do. Then, if there is a security vulnerability such as a buffer overflow in the program, when malicious code is injected into the process, it can only do the actions that the process would normally do, thus limiting the potential damage significantly.

In the paper “Some thoughts on security after ten years of qmail 1.0” by Daniel J Bernstein, djb mentions this type of technology as one of the most promising for mitigating security bugs. Specifically, see section 5.2. Of course, he also claims in section 2.5 that “minimizing privilege” is a fundamentally wrong distraction, and the key is minimizing the amount of trusted code, which isn’t the same thing.

Sandboxing can be used for both, and the key to reducing the trusted code base rather than just reducing privilege in general is to intelligently apply appropriate profiles.

See the manpages sandbox(7), sandbox-exec(1), sandbox_init(3), and sandbox-compilerd(8).

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6238

http://wabisabilabi.blogspot.com/2007/11/quicktime-zeroday-vulnerability-still.html

There are a number of other links commenting on this story that you can find if you Google. One notable thing that no one seems to notice is that in the comments section of the wabisabilabi blog post, they acknowledge that the bug only affects QuickTime 7.2. 7.3.1 is the current version, and 7.3 was already out when the bug was first put up for auction. Some 0-day.

 2 comments:

Anonymous said...

    Does your issue affect QT 7.3, which is the current version?
    December 3, 2007 8:07 PM
WabiSabiLabi Staff said...

    No, only vulnerable version is 7.2
    December 10, 2007 2:38 PM

Someone ended up buying it for 500 euro. Which is pretty steep, considering QuickTime’s track record, there are probably more bugs in it that are still unpatched.

http://en.wikipedia.org/wiki/Great_Pacific_Garbage_Patch

There needs to be a Pixar movie set on the Great Pacific Garbage Patch. I predict Oscars galore.

For some serious papers on software security, check out Dawson Engler.

It just wastes time and confuses people even more.

Hang it up,  people who say “forward slash” when speaking a URL out loud.

Find world-writable files and directories( if you want just directories add -type d)
find -x / -perm -2 -exec ls -ld ‘{}’ \;

Find group-writable files and directories
find -x / -perm -02 -exec ls -ld ‘{}’ \;