Bug 832698 - Review Request: CERT Triage tools - a gdb extension similar to microsoft's !exploitable [NEEDINFO]
Review Request: CERT Triage tools - a gdb extension similar to microsoft's !e...
Status: NEW
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-Legal
  Show dependency treegraph
 
Reported: 2012-06-16 12:59 EDT by Josh Bressers
Modified: 2016-03-14 20:16 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
i: needinfo? (bressers)


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2012-06-16 12:59:59 EDT
Spec URL: http://fedorapeople.org/~bressers/exploitable-review/exploitable.spec
SRPM URL: http://fedorapeople.org/~bressers/exploitable-review/exploitable-1.01-1.fc16.src.rpm
Description: CERT Triage tools, which currently only contain a gdb extension called exploitable
Fedora Account System Username: bressers


I've packaged up CERT's Triage tools, which are really just a gdb extension right now. The package installs an extension specific python module, and a script into /usr/bin

The script doesn't currently have a man page (it's on my list). I wanted to start the review now as I'm certain this will need some work.

The extension basically will show the user if their application crash is exploitable or not (it's certainly not perfect, but getting this to a wider audience should help improve it greatly).

For example:

bress@localhost ~ % cert-triage /tmp/test

warning: Current output protocol does not support redirection


Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (14/21)
Hash: f7ba00781cd7cb6b8ae2fbf50d65e661.f7ba00781cd7cb6b8ae2fbf50d65e661
Exploitability Classification: PROBABLY_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
Other tags: AccessViolation (20/21)


Additionally this can be run directly from gdb via the 'exploitable' command.

Thanks.
Comment 1 Karel Klíč 2012-09-27 09:11:16 EDT
I feel the license might be an issue.

I interpret the license of this package (file LICENSE.txt) as "BSD with advertising" because of the following section:

--
3. All advertising materials for third-party software mentioning 
   features or use of this software must display the following 
   disclaimer:

   "Neither Carnegie Mellon University nor its Software Engineering 
    Institute have reviewed or endorsed this software"
--

http://fedoraproject.org/wiki/Licensing:Main indicates that the "BSD with advertising" license is free but _incompatible with GPLv3_, which is the license of GDB including its Python interface.  The package is built on the top of that GDB Python interface.

Do you agree with this interpretation?
Comment 2 Josh Bressers 2012-09-27 09:19:49 EDT
Richard Fontana looked at this, here is his response:

Based on the information provided about the technical context I do not believe there is a licensing conflict, despite the fact that the CMU license is GPL-incompatible under orthodox understanding. The fact that the license of GDB allows for cure opportunities, and the likelihood that we could obtain a special permission from the FSF should they consider there to be a problem, has influenced my thinking on this.

Therefore, packaging of the triage tools in Fedora can proceed.
Comment 3 Karel Klíč 2012-09-27 10:30:01 EDT
I found a couple of minor issues.  Fixing them would make the package better.

1. The spec file should not include the %clean section with "rm -rf %{buildroot}".

2. There should be no "rm -rf  %{buildroot}" at the beginning of the %install section.

3. "%defattr(-,root,root,-)" should not be included at the beginning of the %files section.

4. Rpmlint warnings should be fixed

rpmlint exploitable-1.01-1.fc19.noarch.rpm

exploitable.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/exploitable-1.01/README.txt
exploitable.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/exploitable-1.01/AUTHORS.txt
1 packages and 0 specfiles checked; 0 errors, 2 warnings.

Perhaps the following link helps?
http://fedoraproject.org/wiki/Packaging_tricks#Remove_DOS_line_endings

5. AUTHORS.txt and README.txt from /usr/share/triage-tools should be installed in %doc (/usr/share/doc/exploitable-1.01/).

6. LICENSE.txt should be included in %doc files.



I have also tested the package on RHEL-6.  The GDB command works only after importing it manually:

(gdb) exploitable
Undefined command: "exploitable".  Try "help".
(gdb) require command exploitable_gdb
(gdb) exploitable
Description: Heap error
Short description: HeapError (9/21)
Hash: 6687658ff11fd9da15c43c9e6f5259bd.6687658ff11fd9da15c43c9e6f5259bd
Exploitability Classification: EXPLOITABLE
...



The cert-triage command line tool doesn't work as it cannot find the "exploitable" GDB command:

$ cert-triage ./testBranchAv.test 
Undefined command: "exploitable".  Try "help".
/usr/bin/cert-triage:152: UserWarning: triage failed ([Errno 2] No such file or directory: '/tmp/triage.pkl'), call=gdb --batch -ex "source exploitable/exploitable-gdb.py" -ex run -ex "exploitable -p /tmp/triage.pkl" --args ./testBranchAv.test
  warnings.warn("triage failed (%s), call=%s" % (e, call))

Failed to triage (no crash?): ./testBranchAv.test


Are you going to include the package in EPEL6?
If it is not so, I can test it later today on my Fedora 17 machine at home.
Comment 4 Josh Bressers 2012-09-27 14:13:36 EDT
OK, so this isn't going to work on RHEL6 as is. I spoke with the RHEL6 gdb maintainer. The ability to auto-load commands doesn't exist there. I'm going to think about how to best address that. For now let's target Fedora with plans to include this in EPEL6 eventually.

I've updated the package and spec file addressing the concerns
http://fedorapeople.org/~bressers/exploitable-review/

bress@rh rpmbuild % rpmlint RPMS/noarch/exploitable-1.01-2.fc16.noarch.rpm
exploitable.noarch: W: no-manual-page-for-binary cert-triage
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

bress@rh rpmbuild % rpmlint SRPMS/exploitable-1.01-2.fc16.src.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.

The man page will be added in the near future.
Comment 5 Josh Bressers 2012-09-28 11:31:24 EDT
This review needs to stop. I found some GPL code in this package. I'm going to consult Fontana on what's next.
Comment 6 Mario Blättermann 2013-11-01 04:41:31 EDT
This ticket is in an odd state... Not ASSIGNED, and in fact assigned to nobody anyway, but the "fedora-review?" flag is set. I set it back, except the needinfo.
Comment 7 Christopher Meng 2013-12-28 03:53:33 EST
Please package 1.04 when you are free.
Comment 8 Tom "spot" Callaway 2013-12-30 12:30:39 EST
Reblocking FE-Legal, since there are legal issues (re: Comment 5)
Comment 9 Upstream Release Monitoring 2016-01-05 01:27:28 EST
koschei's scratch build of gdb-7.10.50.20151113-33.fc24.src.rpm for f24 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=12414110

Note You need to log in before you can comment on or make changes to this bug.