DJB Announces 44 Security Holes In *nix Software

generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."

Fail the course?

[Anonymous Coward]

Better hope there's a curve

Better link

[generationxyu]

to Kris Kubicki's mirror is here. [uic.edu]

Re:It's just an assignment - Did you even go to un

[grazzy]

If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.

Re:Were any of them *not* buffer overflows?

[winthrop]

Change password [uic.edu] involved trusting that the version of "make" in its path was not modified:

Here's the bug: Line 317 of changepassword.c, without cleaning its
environment in any way, calls system("cd /var/yp && make &> /dev/null");
the Makefile arranges for changepassword.cgi to be setuid root (mode
4755). A user can set $PATH to point to his own make program, set
$CONTENT_LENGTH to 512, set $REQUEST_METHOD to POST, and feed...

Clearing up ALL "it's just an assignment" posts:

[generationxyu]

60%. This assignment is worth 60% of the FINAL SEMESTER GRADE. I suppose I should have put that in the summary.

Mplayer and Xine new security releases

[andymar]

"Multiple vulnerabilities were discovered in MPlayer by iDEFENSE, and more were found by us while reviewing the code"
http://www.mplayerhq.hu/ [mplayerhq.hu]

"New xine-lib released. This version adress multiple security vulnerabilites on PNM and Real RTSP clients. All users are advised to upgrade to 1-rc8. The release also includes several bug fixes and new features"
http://xinehq.de/ [xinehq.de]

Re:Misleading Title

[Crazy Eight]

NT has roots in VMS. The BSD advertising clause you're seeing comes from one piece of BSD software (I can't recall which) Microsoft incorporated.

Re:Misleading Title

[SquadBoy]

RTFA in all the emails he gives full credit to the students.

James Longstreet and Tom Indelli, two students in my Fall 2004 UNIX
Security Holes course, have discovered a remotely exploitable security
hole in bsb2ppm, a program to convert BSB image files to PPM image
files. I'm publishing this notice, but all the discovery credits should
be assigned to Longstreet and Indelli.

Re:Misleading Title

[new-black-hand]

The BSD advertising clause you're seeing comes from one piece of BSD software (I can't recall which) Microsoft incorporated.

BSD Sockets (Winsock on Win32). Ever noticed that socket programming on UNIX and Win32 are extremely similar? Not a co-incidence.

Re:Modern education sunken to a new low

[jrockway]

Were you in the class?

The exams and the homework were completely different. DJB should post the exams; there's lots of theoretical holes that we had to find for exams. It was very comprehensive, educational, and practical. It was a great course. (I too failed it, but grades and learning are not necessarily related. For the record I only missed points on exams because my exploit code wasn't C99-compliant :)

Re:Misleading Title

[SnowZero]

NT was originally developed by many of the core VMS developers after they left DEC, thus its VMS-like flavor. It doesn't use any code from VMS, but was a chance for the developers to start over and build a next generation operating system. They also tried to work with IBM in doing so (whee culture clash). My only gripe is that they took that clean, portable system, and put the Win32 API on top of it.

Wikipedia has a nice entry [wikipedia.org] that is consistent with everything I learned there as an intern a while back. After I left there were many rumors that NT took BSD's better performing TCP stack, but unless someone who knows ever tells the story, its still just a rumor. What is true though it that they use some acient utilities ported from BSD, such as the command-line ftp.

Re:Good idea?

[jrockway]

We all already failed the course :-)

We're not blaming DJB for our failure. He told us we would fail if we didn't find 10 unique holes. We didn't find 10 holes, so we failed. It's not hard to understand. DJB is not the guy that goes back on his word. He tells you what he means and sticks with it. That's something to respect. (Same with all the DJB-isms [wikipedia.org]. Nothing wrong with saying what you mean and being confident in those statements.)

We're upset about failing, but that's life. It's the hardest CS course at the University (and this is my first semester in college), so it's expected. I know more about C, computer internals, and security than most professionals now, so I'm not too sad :)

Re:Most people will pass

[wk633]

This all happened in '86, so there's not much that can be done now. The problem was not in unfair marking, the two students got essentially the same grades. The problem was the raw scores->grade mapping. The student did protest, but Parnas had a specially funded chair position. Can't think of the correct wording for it. Basically, there was nothing the department could do. So I guess that wasn't exactly the end of it, but the grade stood. The student did drop out the next year, and last I heard (over 15 years ago) was doing well without a degree.

Rules were changed partially because of this incident (there were a number of students who complained, I just happened to know this one). The result was that profs had to come up with more subtle ways of weighting exams. One I knew used to ask a couple of essay type questions, and mark them last. If the class was doing poorly, he would grade those questions very generously.

And yes, there was for Parnas to not like the student. He was a pain in the ass. Regardless, one would think that two students with the same raw scores should get the same grade.

Re:It's just an assignment - Did you even go to un

[dcollins]

The requirements are to exploit 10 holes in unix software...

Not quite. From the first slide here's the credit specification (emphasis mine):

What you have to do

Exams are 40% of your grade.
Also three types of homework.
1. Read assigned parts of textbook. Assignment due 2004.08.25: foreword and preface of textbook.
2. Read assigned C program excerpts before we discuss them in class.
3. 60% of your grade: discover 10 new security holes in deployed UNIX software.
40 students = 400 new holes.
Collaboration is encouraged.
4 students who find 1 bug each receive 1/4 credit for it.

Presumably a toy program you write on your doesn't count as "deployed UNIX software".

Re:Misleading Title

[Antique Geekmeister]

No, NT is based on VMS. Look into the old David Cutler lawsuits with DEC for details.

Gremlins (was Re:Fuzz testing)

[Calroth]

When developing Palm OS applications, there's a similar feature called Gremlins. You load your program into the Palm OS Emulator (or Simulator) on your computer - this is how you do most of your testing anyway. Give it a random number seed, and activate Gremlins.

It randomly taps all over the screen, fast. It pays special attention to buttons, menus, etc., but also taps on blank spaces. It types random characters into text fields, or sometimes for no reason. Sometimes it'll write fragments of Shakespeare... If your application survives a few million events, you can say with a good degree of certainty that it's reliable. If it doesn't, you get all the Palm debugging tools.

Re:What's the deal?

[Mastoid]

And in the meantime he will take credit for your work

Er, no. The very first line of each announcement is "Person X, a student in my Fall 2004 UNIX Security Holes course..."

djb doesn't come across as the nicest of gentlemen, but he's no thief.

Re:Sounds like Fermi at University of Chicago

[tootlemonde]

Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago.

This story is not likely.

Fermi only gave the quantium mechanics course once in 1954 [physicstoday.org] in the last year of his life. He was known as an outstanding teacher [iop.org], always willing to help students. His notes for the course were published in a book titled Notes on Quantum Mechanics [amazon.com] with additional material supplied by one of the students. None of the reviews I've found mention the story about all the students failing.

One of his colleagues writes [physicstoday.org]:

Fermi's legendary classroom teaching was the fruit of careful preparation. He seemed to derive pleasure from the act of teaching, without regard for the result. He never showed annoyance at a student's failure to grasp on the first try (or even the second) what he was trying to explain. On the contrary, if Fermi had to repeat an explanation, his pleasure appeared to be doubled.

Re:Misleading Title

[innosent]

This is more likely due to the fact that the BSD TCP/IP stack is essentially the reference implementation of TCP/IP. Which is odd, considering that the BSD stack is missing a fairly major feature of the TCP/IP standard (equal-cost multipath routing, which Linux does support, though Windows does not). At any rate, there are probably portions of the TCP/IP process that are under a BSD copyright, and Windows uses some of the same procedures (though probably not code) to implement their stack. As for the similar API, that probably has more to do with POSIX than MS copying code. I would imagine that the internals of Windows and *BSD are different enough that it would be easier to rewrite the socket API than to copy it and change it for Windows.

Re:It's just an assignment - Did you even go to un

[julesh]

...all of the methods attributed to Bohr are more accurate than the method the professor considered to be the 'right' solution.


I'd expect the error on making a measurement of gravity by the period of a pendulum swing and comparing the change over altitude to be _much_ less accurate, myself.

Urban legend

[bharlan]

When an anecdote is a little too perfect (and this one is way over the top), then you need to google for it at site:snopes.com. http://www.snopes.com/college/exam/barometer.asp [snopes.com]

Re:Modern education sunken to a new low

[Anonymous Coward]

Why don't you and some more students join up and challenge this fu**er? Obviously the only thing he cares about is making a name for himself, and becoming infamous as an "instructor". Take this to the Dean of your college, and if he doesn't listen I'm sure there are others who will. Avoid him like the plague in future classes of course. An F in grad school can get you on probation or even not funded in the following semester. This is all about his ego, and not about the students' well being; if what has been said on slashdot is indeed true about the details of this class.

Re:Don't just take this lying down, IMO

[Mornelithe]

What does your experience---failing two out of 64 people for incompetence, and having a class with an overall C average---have to do with what your post's parent was talking about---a class where 100% of the students receive an F?

Are you implying, for example, that all 25 students in a graduate course entitled 'Unix Security Holes' were either incompetent or didn't even make an effort at completing the course? Are you implying that in most cases where an entire class fails---with an F, not a C---that it is because every student either slacked off or was incompetent? I won't rule out that possibility, but I think it's very unlikely that in any given class, there isn't anyone who isn't both intelligent and hard-working enough to at least get a D in the class. Do you have reason to believe otherwise?

Re:Misleading Title

[fish_in_the_c]

Microsofts documentation on sockets is very misleading. If you want to find out how misleading create an array of sockets each open on a different port. Pass the array to another thread within your program and then try to read something from one of the sockets. It won't work because of the way that windows handles messaging and the fact that socket objects have a message queue an therefore cannot be passed between threads. I know from painful expierence.