Adding to the vunerabilities found a few days ago, more have been discovered and posted. These additional potential exploits were discovered by the same person who found the first one posted.
Multiple Vulnerabilities in the QNX Platform
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
This question is slightly off topic, but I always wonder how does people find this kind of security holes?
They surely know how to do it, but do they just sit down and start doing every trick they know and see what happens?
TIA
It depends. If the source is available you can simply do an audit, grepping through for various unsafe stdlib function calls, look for places where malloc return values aren’t checked, etc.
If it’s closed-source binary, well you just have to pound on the software until you find places where it break (eg, when it asks for input data, feed it insanely large malformed strings, cause allocations to randomly fail, screw around with it’s memory space, etc).
> It depends. If the source is available you can simply do an audit, grepping through for various unsafe stdlib function calls, look for places where malloc return values aren’t checked, etc.
> If it’s closed-source binary, well you just have to pound on the software until you find places where it break (eg, when it asks for input data, feed it insanely large malformed strings, cause allocations to randomly fail, screw around with it’s memory space, etc).
… sort of. There are also automated source-code auditing tools. Disassemblers appear to be used in finding closed-source binary holes [and don’t forget debuggers and their ilk; it’s trivial to monitor system calls, with or without source.] Your methods should work, but they seem likely to miss all but the most obvious holes.
Disclaimer: I’m not a security auditor.
remember black box vs white box testing at college?
is a binary of an application a black box or a white box? …
It is time to migrate to Solaris which is best secure os in the world!
It should be noted that these are all under 6.1, quite an old version, I know for a fact that at least one of these does not exist in the current version 6.3 (The -s buffer overflow from libAp, I think it was fixed in 6.2 actually).
Hi,
thanks for your comments.
So, would it be fair to say that if a widespread and critical piece of software is found to have a lot of these holes, it means there weren’t proper audits or quality tests done to it?
TIA