« July 2005 | Main | September 2005 »
August 13, 2005
Strata, Diablo...
For the signal handling issue, I'm going to rewritten the function intercept_signal in strata/src/posix/signal.c so that Strata will not stratify itself and crashes.
For the ammp issue, the size of main function is one byte less than the multiple of 16 bytes, and the linker will insert a NOP to align it. However Diablo assumes that byte is data and doesn't do the tagging. That's why the program crashes.
This really is a problem, 'coz alignment may occur often.
Posted by Roy at 12:49 AM | Comments (0)
August 11, 2005
samba issues -- continued
My work always have problems when programs are being shut down.
To handle them I used some ugly hacks that I hate to describe.
In the source code of smbd, it will register exit_server to be called at exit time (in order to do some clean up work and reclaim children). If running in interactive mode, it will handle the request by itself and then call exit_server. exit_server will do different work based on it's called the first time or not. If running in daemon mode, smbd will not call exit_server directly, but forks a child and then exit. The child then call select and block. After receiving a request, it handles the request, fork a child and then call exit_server.
In order to prevent exit_server from being registered, you need to undef the macro HAVE_ATEXIT, or simply comment out the block from server.c
For such kind of programs like smbd and ghttpd, we have to disable the SIGCHILD (or SIGCLD, A synonym for SIGCHLD) signal handler. It really sucks.
Posted by Roy at 10:45 PM | Comments (0)
August 05, 2005
configure
When you want to set some variable, sometimes you don't have to hack configure.in, or Makefile.in.
You may set environment variables, such as
PATH=/usr/local/toolchain-isr/bin/:$PATH CFLAGS="-I /home/wh5a/strata/include/ -DHAVE_INITGROUPS" LDFLAGS="-static -lstrata -lc_strata -lc -lnss_files -lnss_dns -lresolv -L /home/wh5a/strata/lib/x86_linux" ./configure --with-codepagedir=/usr/share/samba/codepages/ --with-configdir=/etc/samba --with-syslog --with-logfilebase=/var/log/samba/ --disable-windbind [--enable-debug]
Posted by Roy at 02:21 PM | Comments (0)
Debugging Samba
If you build samba from source, you need to configure it carefully, otherwise smbd quits silently without giving any error message.
I used ./configure --enable-debug in order to use gdb to debug it. But after playing a while with it, I realized I should use interactive mode. When you run smbd, give it the -i option and now you'll get all the error messages you need.
The location of many configuration files are determined at compile time and you can't set it later. Be careful when you run config. Use interactive mode to debug.
Posted by Roy at 01:44 AM | Comments (0)
August 02, 2005
Adapting attacks
1. Samba Buffer Overflow
Called StrnCpy uncarefully.
I'm working on samba-2.2.3a, if you check out samba-2.2.8a, you'll see StrnCpy is replaced by pstrcpy.
2. CVS Double Free Bug
http://www.kb.cert.org/vuls/id/650937
The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code.
http://www.linuxsecurity.com/content/view/104580/103/
The impact is most severe when running
the CVS server in `pserver' mode to provide read-only access to the
world (anoncvs).
http://www.xfocus.net/vuls/200301/3548.html
CVS在处理目录群情求时存在漏洞,通过发送畸形目录名可触发返回函数返回到全局变量已经释放的位置,并且没有分配新的值。这样当下一次目录请求处理的时候就可以发生典型的double-free()问题,如果提交的目录名精心覆盖内存结构,就可以导致在系统上执行任意代码。
Deeper insights:
http://overflow.nease.net/txt/double_free_heap.txt
http://cert.uni-stuttgart.de/archive/bugtraq/2003/02/msg00003.html
I'm working on cvs-1.11.1p1, it's not available from the official site though. But if you do a search, you can find an rpm package easily.
Posted by Roy at 10:56 PM | Comments (0)