Information Technology Reference
In-Depth Information
Ta b l e 4 .
Results of Our Analysis on Real World Vulnerabilities
Program
Name
and
Vulnerability
Identifier
Binary Code and
Trace Size(KB)
Taint
Sources
(Byte)
Total/Unique
Instructions
Total/Unique
Tainted Inst.
Ve r s i o n
GDI32.dll
5.1.2600.2180
CVE-2005-4560 272 / 2,422
68
76,618 / 5,677
206 / 115
User32.dll
5.1.2600.2180
CVE-2007-0038 564 / 53,548
4,385
250,534 / 23,868
7,195 / 1,043
AudioCoder 0.8.18
OSVDB-2939
731 / 29,000
620
473,922 / 27,265
12,666 / 66
Streamcast 0.9.75
CVE-2008-0550 804 / 26,541
1,230
83,204 / 3,354
8,351 / 35
POP Peeper 3.4.0.0
BugTraq-34192
1,436 / 68,731
400
182,382 / 8,226
1,106 / 2
PEiD 0.95
OSVDB-94542
214 / 14,163
1,000
32,779 / 9,501
25 / 20
SoulSeek 157
ExploitDB-8777 3,410/147,931
49
4,435,526/142,220 217/121
SoX 12.17.2
CVE-2004-0557 225 /14,441
1,184
180,034 / 2,801
56,138 / 647
its
From
field, where the stack buffer can overflow to overwrite the return address and
the Windows Structural Exception Handler (SEH). PEiD is a popular tool for detecting
packers, cryptors and compilers found in PE executable files. A carefully crafted EXE
file can be used to exploit this vulnerability to run arbitrary code. SoulSeek 157 NS12d,
a free file sharing application, has a vulnerability that can be remotely exploited to over-
write SEH. SoX (Sound eXchange) is a sound processing application in Linux. Its
WAV
header handling code has a known buffer overflow vulnerability that can be exploited
by the attacker to execute arbitrary code.
The third column in Table 4 shows the size of the binary code and the size of the trace,
respectively. Recall that the on-demand trace logging starts when the target program
reads the taint source (input in all these test cases), and stops when the tainted data have
taken control of program, e.g. when
EIP
contains a tainted value or the program jumps
to the tainted memory location. The fourth column shows the number of bytes of the
taint sources, ranging from a few dozen bytes to a few thousand bytes. For all cases,
CBASS/TREE can successfully build the taint graph previously described.
For any specific taint sink, the CBASS/TREE system can generate a slice of the
tainted instructions from the taint sources to the taint sink. The last two columns in Ta-
ble 4 show the total and unique instructions in the trace, and the total and unique tainted
instructions for all the tainted sources and sinks, respectively. In general, tainted in-
structions are only a very small portion of the total instructions (
<
5%). For any specific
byte of the tainted target, for example, a tainted register or a tainted memory location,
usually only a few dozen tainted instructions are involved.
For more real world vulnerabilities to which we have applied TREE/CBASS, please
refer to http://code.google.com/p/tree-cbass/. We will continue our ongoing evaluation
process and update the results on this website.
5.2
Case Study: WMF (CVE-2005-4560)
In this section, we will illustrate how TREE/CBASS can support interactive security
analysis by using CVE-2005-4560, also known as the
WMF SetAbortProc Escape
vulnerability. WMF stands for Windows Metafile Format. The formal specification of
