This may be, or may not be a security issue, however, since alot of people
still use tripwire-1.2 or lesser versions(this is what shipped with R.H.
Linux 5.2 at least), they might be interested in following detail:
Chuck Campbell (campbell@neosoft.com) pointed me out that tripwire dies with
coredump on R.H. linux, if it hits a filename containing 128-255 characters.
Playing a bit with debugger I found out that the problem sits around the
line 417:
else if (iscntrl(*pcin)) {
*pcout++ = '\\';
*pcout++ = *(pccopy = octal_array[(int)(*pcin)]);
*pcout++ = *++pccopy;
*pcout++ = *++pccopy;
}
iscntrl here would return 'true' not only for [0-31] arg, but also for
[128-255]. It cause two problems here:
1. original octal_array contained only 127 elements, reference would go
outside the array with *pcin>127
2. pcin is declared as pointer to char, which caused a negative offset for
chars in range above 127. (and which actually caused coredump in this case)
bellow is the patch to tripwire 1.2 (as it is on coast.cs.purdue.edu, and
ftp.redhat.com sites), and message from Gene Spafford which I received for
responce to my message. I wasn't able to test this bug on commercial
tripwire, but since people still use free version, this problem still might
be applicable.
regards
Fyodor
-<cut here>-
--- src/utils.c.orig Mon Jul 25 22:23:16 1994
+++ src/utils.c Sun Jan 3 15:41:00 1999
@@ -384,7 +384,7 @@
char *filename;
{
static char filetmp[MAXPATHLEN+256];
- register char *pcin = filename, *pcout = filetmp;
+ register unsigned char *pcin = filename, *pcout = filetmp;
static char *octal_array[] = {
"000", "001", "002", "003",
"004", "005", "006", "007",
"010", "011", "012", "013",
"014", "015", "016", "017",
@@ -402,8 +402,24 @@
"150", "151", "152", "153",
"154", "155", "156", "157",
"160", "161", "162", "163",
"164", "165", "166", "167",
"170", "171", "172", "173",
"174", "175", "176", "177",
+ "200", "201", "202", "203",
"204", "205", "206", "207",
+ "210", "211", "212", "213",
"214", "215", "216", "217",
+ "220", "221", "222", "223",
"224", "225", "226", "227",
+ "230", "231", "232", "233",
"234", "235", "236", "237",
+ "240", "241", "242", "243",
"244", "245", "246", "247",
+ "250", "251", "252", "253",
"254", "255", "256", "257",
+ "260", "261", "262", "263",
"264", "265", "266", "267",
+ "270", "271", "272", "273",
"274", "275", "276", "277",
+ "300", "301", "302", "303",
"304", "305", "306", "307",
+ "310", "311", "312", "313",
"314", "315", "316", "317",
+ "320", "321", "322", "323",
"324", "325", "326", "327",
+ "330", "331", "332", "333",
"334", "335", "336", "337",
+ "340", "341", "342", "343",
"344", "345", "346", "347",
+ "350", "351", "352", "353",
"354", "355", "356", "357",
+ "360", "361", "362", "363",
"364", "365", "366", "367",
+ "370", "371", "372", "373",
"374", "375", "376", "377",
};
- register char *pccopy;
+ register unsigned char *pccopy;
/* these only matter if they are the first character */
if (*pcin == '!' || *pcin == '=' || *pcin == '#')
--<cut here>--
---------- Forwarded message ----------
Date: Sun, 03 Jan 1999 10:25:36 -0500
From: Gene Spafford <spaf@cs.purdue.edu>
[Form-letter response, last modified 8/16/98]
Thanks for your inquiry about Tripwire.
In mid-December 1997, Tripwire Security Systems, Inc. (formerly Visual
Computing Corporation) acquired the license for our Tripwire
change/intrusion detection system. They are now marketing an enhanced,
supported version of Tripwire for Unix-based machines. They are also
planning a Windows NT version of Tripwire for release sometimes in late
1998. Gene Kim, my former student and the original author of Tripwire,
is the VP of TSS, and I may have some technical advisory role in these
developments. All enquiries about Tripwire sales and technical support
should be directed to:
W. Wyatt Starnes
President
Tripwire Security Systems, Inc.
615 SW Broadway
Portland, Oregon 97205
Phone: (503) 223-0280
FAX: (503) 223-0182
tripwire@tripwiresecurity.com
You can visit the Tripwire WWW site at
<http://www.tripwiresecurity.com/> for details on the latest release of
the program, and for assistance with problems with previous versions.
Note that personnel at Purdue are no longer supporting Tripwire.
Please also note that Tripwire is a registered trademark of the Purdue
Research Foundation, and it is also licensed to TSS.
From mail@mail.redhat.com Tue Jan 5 16:44:38 1999
Received: (qmail 6247 invoked from network); 5 Jan 1999 22:03:34 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Jan 1999 22:03:34 -0000
Received: from rosie.BitWizard.nl (7dyn110.delft.casema.net [195.96.122.110])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id QAA12169
for <linux-security@redhat.com>; Tue, 5 Jan 1999 16:44:38 -0500
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id WAA09268
for <linux-security@redhat.com>; Tue, 5 Jan 1999 22:46:16 +0100
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id WAA02502
for linux-security@redhat.com; Tue, 5 Jan 1999 22:44:26 +0100
Received: from pop.vuurwerk.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Tue Jan 5 18:34:49 1999
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Jan 5 18:32:58 1999)
X-From_: linux-security-request@redhat.com Tue Jan 5 18:32:45 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id SAA16955
for <bitwiz@haarlem-2.vuurwerk.nl>; Tue, 5 Jan 1999 18:32:45 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id SAA04191
for <r.e.wolff@BitWizard.nl>; Tue, 5 Jan 1999 18:32:44 +0100
Received: (qmail 18841 invoked by uid 501); 5 Jan 1999 17:43:33 -0000
Received: (qmail 15714 invoked from network); 5 Jan 1999 17:42:39 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Jan 1999 17:42:39 -0000
Received: from albatross.mags.net (albatross.mags.net [209.140.80.4])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id MAA31785
for <linux-security@redhat.com>; Tue, 5 Jan 1999 12:23:56 -0500
Received: from kev (tc1-slot4-mod22.da.mags.net [209.140.80.207])
by albatross.mags.net (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with
SMTP
id MAA00698 for <linux-security@redhat.com>; Tue, 05 Jan 1999 12:23:51
-0500
Message-ID: <002b01be38d0$88aacac0$cf508cd1@kev.snet.net>
From: "Kevin" <kevin@mags.net>
To: <linux-security@redhat.com>
Subject: [linux-security] Re: Tripwire mess
Date: Tue, 5 Jan 1999 12:26:25 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3155.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
X-moderate: yes
Actually I just looked at my RH 5.2 dist and it looks as if Tripwire 1.3 is
shipped with it.
From mail@mail.redhat.com Tue Jan 5 17:31:13 1999
Received: (qmail 3716 invoked from network); 5 Jan 1999 22:50:06 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Jan 1999 22:50:06 -0000
Received: from rosie.BitWizard.nl (7dyn110.delft.casema.net [195.96.122.110])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id RAA15139
for <linux-security@redhat.com>; Tue, 5 Jan 1999 17:31:13 -0500
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id XAA09453
for <linux-security@redhat.com>; Tue, 5 Jan 1999 23:33:00 +0100
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id XAA02623
for linux-security@redhat.com; Tue, 5 Jan 1999 23:31:04 +0100
Received: from pop.vuurwerk.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Tue Jan 5 23:04:20 1999
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Jan 5 23:02:28 1999)
X-From_: linux-security-request@redhat.com Tue Jan 5 23:01:10 1999
Received: from groningen.vuurwerk.nl (groningen.vuurwerk.nl [194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id XAA21383
for <bitwiz@haarlem-2.vuurwerk.nl>; Tue, 5 Jan 1999 23:01:09 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id XAA03393
for <r.e.wolff@BitWizard.nl>; Tue, 5 Jan 1999 23:01:08 +0100
Received: (qmail 4435 invoked by uid 501); 5 Jan 1999 22:18:06 -0000
Received: (qmail 30828 invoked from network); 5 Jan 1999 22:16:12 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Jan 1999 22:16:12 -0000
Received: from darkstar.sysinfo.com (dufresne@darkstar.sysinfo.com
[199.199.125.82])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id QAA13089
for <linux-security@redhat.com>; Tue, 5 Jan 1999 16:57:22 -0500
Received: from localhost (dufresne@localhost)
by darkstar.sysinfo.com (8.9.1/8.9.1) with ESMTP id PAA04074;
Tue, 5 Jan 1999 15:55:03 -0600
Date: Tue, 5 Jan 1999 15:55:03 -0600 (CST)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Kevin <kevin@mags.net>
cc: linux-security@redhat.com,
recipient list not shown: ;;;;@haarlem-2.vuurwerk.nl;;;
Subject: [linux-security] Re: Tripwire mess
In-Reply-To: <002b01be38d0$88aacac0$cf508cd1@kev.snet.net>
Message-ID: <Pine.LNX.4.05.9901051548140.3426-100000@darkstar.sysinfo.com>
Organization: Minnesota Information Systems
X-Subliminal: If at first you don't suck seed...
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
If tripwire 1.3 is included, I'd be very surprised, as tripewire 1.3 is if
I recall the new and cupported and non-shareware/freeware version of the
product. perhaps they are only charging commercial institutions, I have
not fully reviewed they licensing files...
As for the 1.2 patches. There was a patch on one of the old distribution
sites for tripwire 1.2, the patch failed to function, and was done by a
fellow close here to my location im minnesota, at the UofM. when tripwire
repeatedly coredumped for me, I contacted all involved and after a bit of
work, was able to get a working patch from the individual that had
produced the patch. I could look up all the info for folks, but, damn, I
hate having to locate e-mail in my archives unless really forced to, so,
unless someone really requires bounces or forwards from that archive and
endeavor, I'll hold back.
I would venture the new working patch is out in the old dist sites now, if
not if anyone would like the patch, runs damned fine on my slackware
system <hate the way redhat redoes everything, and am used to slackware>
I'd be happy to make it available to those without the time to search.
drop me a note if you so wish.
Ron DuFresne
On Tue, 5 Jan 1999, Kevin wrote:
> Actually I just looked at my RH 5.2 dist and it looks as if Tripwire 1.3 is
> shipped with it.
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
> mail -s unsubscribe linux-security-request@redhat.com < /dev/null
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
From mail@mail.redhat.com Tue Jan 5 18:06:01 1999
Received: (qmail 8637 invoked from network); 5 Jan 1999 23:24:56 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Jan 1999 23:24:56 -0000
Received: from rosie.BitWizard.nl (7dyn110.delft.casema.net [195.96.122.110])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id SAA17276
for <linux-security@redhat.com>; Tue, 5 Jan 1999 18:06:01 -0500
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id AAA09600
for <linux-security@redhat.com>; Wed, 6 Jan 1999 00:07:48 +0100
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id AAA02684
for linux-security@redhat.com; Wed, 6 Jan 1999 00:05:58 +0100
Received: from pop.vuurwerk.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Jan 6 00:05:10 1999
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Jan 6 00:03:16 1999)
X-From_: linux-security-request@redhat.com Wed Jan 6 00:02:48 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id AAA28612
for <bitwiz@haarlem-2.vuurwerk.nl>; Wed, 6 Jan 1999 00:02:47 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id AAA25144
for <r.e.wolff@BitWizard.nl>; Wed, 6 Jan 1999 00:02:46 +0100
Received: (qmail 3613 invoked by uid 501); 5 Jan 1999 23:08:10 -0000
Received: (qmail 2535 invoked from network); 5 Jan 1999 23:07:49 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Jan 1999 23:07:49 -0000
Received: from tashi.sci.usq.edu.au (tony@tashi.sci.usq.edu.au [139.86.144.116])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id RAA16136
for <linux-security@redhat.com>; Tue, 5 Jan 1999 17:48:59 -0500
Received: (from tony@localhost)
by tashi.sci.usq.edu.au (8.8.7/8.8.7) id IAA13688;
Wed, 6 Jan 1999 08:48:50 +1000
Message-Id: <199901052248.IAA13688@tashi.sci.usq.edu.au>
To: "Kevin" <kevin@mags.net>
Cc: linux-security@redhat.com
X-URL: http://www.sci.usq.edu.au/staff/nugent
Organization: Faculty of Science, University of Southern Queensland
X-Face:
]IrGs{LrofDtGfsrG!As5=G'2HRr2zt:H>djXb5@v|Dr!jOelxzAZ`!}("]}]
Q!)1w#X;)nLlb'XhSu,QL>;)L/l06wsI?rv-xy6%Y1e"BUiV%)mU;]f-5<#U6
UthZ0QrF7\_p#q}*Cn}jd|XT~7P7ik]Q!2u%aTtvc;)zfH\:3f<[a:)M
X-Mailer: nmh-0.27 exmh-2.0.2
X-Linux-Version: 2.0.36
Subject: [linux-security] Re: Tripwire mess
In-Reply-To: message-id <002b01be38d0$88aacac0$cf508cd1@kev.snet.net>
of Tue, Jan 05 12:26:25 1999
Date: Wed, 06 Jan 1999 08:48:50 +1000
From: Tony Nugent <Tony.Nugent@usq.edu.au>
X-moderate: yes
On Tue Jan 05 1999 at 12:26, "Kevin" wrote:
> Actually I just looked at my RH 5.2 dist and it looks as if Tripwire 1.3 is
> shipped with it.
tripwire 1.2 is shipped with the RedHat 5.2 Powertools - no 1.3
version in sight. If I recall, this version is several years old -
later versions of it went commercial.
I've experienced the segfault myself, in exactly the manner described
by "CyberPsychotic" <fygrave@tigerteam.net> describes. Thanks
for the
patch.
Very useful tool. I'm glad RH is including it with its powertools
collection. More "security" utilities such as this should be
included, including things like "cheops"...
[mod: I'm getting conflicting reports "yes it shipped version X"
"no
it didn't, version X was shipped". Figure it out for yourself if you
need to know. I'm no longer approving stuff in this yes/no debate. -- REW]
Cheers
Tony
