Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:image format bugs (Score 1) 246

LZW isn't that bad. And mostly, I just needed to know what it did WRONG, not how to do it RIGHT. I'd already learned how LZSS worked the previous year...for an also ambitious project that never really saw the light of day. Reverse engineering a compression format through raw tinkering and seeing how outputs changed was a lot of fun^H^H^Htedium. It helped that I had a lead that it was probably some derivative of LZ77.

Okay yeah I might have spent a lot of time on nothing substantial during this, but it did yield a security patch, which is a good thing. And besides, I was on winter break from college. It's a good time for doing nothing substantial.

Comment Re:image format bugs (Score 4, Informative) 246

Actually, I personally found and patched the TIFF bug. In January. Of last year. http://bugzilla.maptools.org/show_bug.cgi?id=1985
Feeding random data (aka fuzzing) might work, but 99% of the time, I'd imagine it'd just give you a corrupted image and bail out. You have to be clever about how you search for it. I found a known vulnerability patch posted by, of all people, an Apple employee, and tried to reverse engineer what he'd fixed. I found that the patch hadn't been applied on old version of the PSP system software, which is what I was targeting. After messing with this specific attack vector, I noticed that I could still crash system software version that did have the patch. After reading up on LZW compression (which is what part of LibTIFF had the vulnerability) and the TIFF specification of how they implemented LZW, I realized that the Apple patch was incomplete--it only tested for one value you could give it that was erroneous. By simply changing the equality they used (in two places) to an inequality, I tested for all erroneous values. Meanwhile, I tried to exploit the new unpatched vector on the PSP so that I could inject code. Failing this, I decided the best course of action was to submit a bug report to LibTIFF. It might seem a tad unethical to try and exploit the bug before reporting it, but I wasn't trying to exploit in for malicious purposes, and not on a desktop operating system. Regardless, I failed to make it do more than crash the PSP. Surely the best course of action here would be to patch it upstream before anyone else found it. (Incidentally, this "arbitrary execution" this is blown out of proportion. In its current state, it is extremely unlikely that it could provide ANY code execution. Just crashing. Although I don't know if it's IMPOSSIBLE for it to execute code with this vulnerability, it would take a lot of work to get anything valuable out of this. Mostly it's a DoS. They usually just attach "arbitrary execution" when there's even the vaguest possibility for code to be executed, regardless of whether or not such an exploit has been demonstrated.)

It, um, took a while for anyone to notice the patch. In fact, the only reason anyone did notice was because someone found some of the fruit of my research into this bug and then posted a link to the research in a new bug report. Funnily, they created a different patch, which, instead of preventing the infinite loop caused by the erroneous data, just tested to see if the loop was writing out of bounds. Perhaps both approaches should be used together. Defensive programming and all that. Regardless, I noticed this new bug report shortly afterward it was posted and pointed them back to the inexplicably ignored old bug report. Most Linux vendors applied the patch shortly after the new bug report was filed, but Apple lagged by a number of months, until 10.6.2 came out. This update backports the fix into 10.5.x. However, I've found that some projects (such as Qt) are still using ancient versions of LibTIFF that have had numerous bug and security fixes since they were last updated in the projects' trees. While Qt does try to use the system's version of Qt if it can, it's still kind of scary to think about what could happen if it falls back on its own version, as I've seen it do before when I try my "corrupted" TIFF on things like Arora.

Incidentally, I am TAing a computer security course this semester. I guess previous experience helps.

Comment From having read TFA... (Score 1) 806

I also notice the Scroll Lock and Pause/Break keys are missing. I know you can use the Scroll Lock key in conjunction with Excel, but I'm not sure anyone else ever does. Although I have actually used it on the command line to, shock and awe, lock the screen from scrolling while it was booting up so I could see error messages before they disappeared into the dust.

Also, switching the F keys with the functionality usually relegated to Fn-F*, as mentioned in TFA, is nothing new. Apple has been doing that on their laptops for years.

Slashdot Top Deals

Neutrinos are into physicists.

Working...