Tripwire mess..

From: CyberPsychotic (fygraveat_private)
Date: Mon Jan 04 1999 - 04:10:16 PST

Next message: Williams Jon: "RE: L0pht NFR N-Code Modules Updated"

Previous message: Scott: "Re: SUN almost has a clue! (automountd)"
Next in thread: Casper Dik: "Re: Tripwire mess.."
Reply: Casper Dik: "Re: Tripwire mess.."
Reply: Chris Adams: "Re: Tripwire mess.."
Reply: Jon Torrez: "Re: Tripwire mess.."
Reply: Ron DuFresne: "Re: Tripwire mess.."
Reply: Austin Schutz: "Re: Tripwire mess.."
Reply: CyberPsychotic: "Re: Tripwire mess.."
Reply: Gene Spafford: "Re: Tripwire mess.."
Reply: Jon Speer: "Re: Tripwire mess.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This may be, or may not be a security issue, however, since alot of people
still use tripwire-1.2 or lesser versions(this is what shipped with R.H.
Linux 5.2 at least), they might be interested in following detail:

Chuck Campbell (campbellat_private) pointed me out that tripwire dies with
coredump on R.H. linux, if it hits a filename containing 128-255 characters.
Playing a bit with debugger I found out that the problem sits around the
line 417:
        else if (iscntrl(*pcin)) {
            *pcout++ = '\\';
            *pcout++ = *(pccopy = octal_array[(int)(*pcin)]);
            *pcout++ = *++pccopy;
            *pcout++ = *++pccopy;
        }

iscntrl here would return 'true' not only for [0-31] arg, but also for
[128-255]. It cause two problems here:
1. original octal_array contained only 127 elements, reference would go
outside the array with *pcin>127
2. pcin is declared as pointer to char, which caused a negative offset for
chars in range above 127. (and which actually caused coredump in this case)

bellow is the patch to tripwire 1.2 (as it is on coast.cs.purdue.edu, and
ftp.redhat.com sites), and message from Gene Spafford which I received for
responce to my message. I wasn't able to test this bug on commercial
tripwire, but since people still use free version, this problem still might
be applicable.


regards

Fyodor

-<cut here>-

--- src/utils.c.orig    Mon Jul 25 22:23:16 1994
+++ src/utils.c Sun Jan  3 15:41:00 1999
@@ -384,7 +384,7 @@
     char *filename;
 {
     static char filetmp[MAXPATHLEN+256];
-    register char *pcin = filename, *pcout = filetmp;
+    register unsigned char *pcin = filename, *pcout = filetmp;
     static char *octal_array[] = {
        "000", "001", "002", "003", "004", "005", "006", "007",
        "010", "011", "012", "013", "014", "015", "016", "017",
@@ -402,8 +402,24 @@
        "150", "151", "152", "153", "154", "155", "156", "157",
        "160", "161", "162", "163", "164", "165", "166", "167",
        "170", "171", "172", "173", "174", "175", "176", "177",
+       "200", "201", "202", "203", "204", "205", "206", "207",
+       "210", "211", "212", "213", "214", "215", "216", "217",
+       "220", "221", "222", "223", "224", "225", "226", "227",
+       "230", "231", "232", "233", "234", "235", "236", "237",
+       "240", "241", "242", "243", "244", "245", "246", "247",
+       "250", "251", "252", "253", "254", "255", "256", "257",
+       "260", "261", "262", "263", "264", "265", "266", "267",
+       "270", "271", "272", "273", "274", "275", "276", "277",
+       "300", "301", "302", "303", "304", "305", "306", "307",
+       "310", "311", "312", "313", "314", "315", "316", "317",
+       "320", "321", "322", "323", "324", "325", "326", "327",
+       "330", "331", "332", "333", "334", "335", "336", "337",
+       "340", "341", "342", "343", "344", "345", "346", "347",
+       "350", "351", "352", "353", "354", "355", "356", "357",
+       "360", "361", "362", "363", "364", "365", "366", "367",
+       "370", "371", "372", "373", "374", "375", "376", "377",
     };
-    register char *pccopy;
+    register unsigned char *pccopy;

     /* these only matter if they are the first character */
     if (*pcin == '!' || *pcin == '=' || *pcin == '#')

--<cut here>--

---------- Forwarded message ----------
Date: Sun, 03 Jan 1999 10:25:36 -0500
From: Gene Spafford <spafat_private>

[Form-letter response, last modified 8/16/98]

Thanks for your inquiry about Tripwire.

In mid-December 1997, Tripwire Security Systems, Inc. (formerly Visual
Computing Corporation) acquired the license for our Tripwire
change/intrusion detection system. They are now marketing an enhanced,
supported version of Tripwire for Unix-based machines. They are also
planning a Windows NT version of Tripwire for release sometimes in late
1998. Gene Kim, my former student and the original author of Tripwire,
is the VP of TSS, and I may have some technical advisory role in these
developments. All enquiries about Tripwire sales and technical support
should be directed to:
    W. Wyatt Starnes
    President
    Tripwire Security Systems, Inc.
    615 SW Broadway
    Portland, Oregon 97205
    Phone: (503) 223-0280
    FAX: (503) 223-0182
    tripwireat_private

You can visit the Tripwire WWW site at
<http://www.tripwiresecurity.com/> for details on the latest release of
the program, and for assistance with problems with previous versions.
Note that personnel at Purdue are no longer supporting Tripwire.

Please also note that Tripwire is a registered trademark of the Purdue
Research Foundation, and it is also licensed to TSS.

Next message: Williams Jon: "RE: L0pht NFR N-Code Modules Updated"
Previous message: Scott: "Re: SUN almost has a clue! (automountd)"
Next in thread: Casper Dik: "Re: Tripwire mess.."
Reply: Casper Dik: "Re: Tripwire mess.."
Reply: Chris Adams: "Re: Tripwire mess.."
Reply: Jon Torrez: "Re: Tripwire mess.."
Reply: Ron DuFresne: "Re: Tripwire mess.."
Reply: Austin Schutz: "Re: Tripwire mess.."
Reply: CyberPsychotic: "Re: Tripwire mess.."
Reply: Gene Spafford: "Re: Tripwire mess.."
Reply: Jon Speer: "Re: Tripwire mess.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:26 PDT