https://bugzilla.redhat.com/show_bug.cgi?id=832698
Bug ID: 832698 QA Contact: extras-qa@fedoraproject.org Severity: medium Version: rawhide Priority: medium CC: notting@redhat.com, package-review@lists.fedoraproject.org Assignee: nobody@fedoraproject.org Summary: Review Request: CERT Triage tools - a gdb extension similar to microsoft's !exploitable Regression: --- Story Points: --- Classification: Fedora OS: Linux Reporter: bressers@redhat.com Type: --- Documentation: --- Hardware: All Mount Type: --- Status: NEW Component: Package Review Product: Fedora
Spec URL: http://fedorapeople.org/~bressers/exploitable-review/exploitable.spec SRPM URL: http://fedorapeople.org/~bressers/exploitable-review/exploitable-1.01-1.fc16... Description: CERT Triage tools, which currently only contain a gdb extension called exploitable Fedora Account System Username: bressers
I've packaged up CERT's Triage tools, which are really just a gdb extension right now. The package installs an extension specific python module, and a script into /usr/bin
The script doesn't currently have a man page (it's on my list). I wanted to start the review now as I'm certain this will need some work.
The extension basically will show the user if their application crash is exploitable or not (it's certainly not perfect, but getting this to a wider audience should help improve it greatly).
For example:
bress@localhost ~ % cert-triage /tmp/test
warning: Current output protocol does not support redirection
Description: Access violation near NULL on destination operand Short description: DestAvNearNull (14/21) Hash: f7ba00781cd7cb6b8ae2fbf50d65e661.f7ba00781cd7cb6b8ae2fbf50d65e661 Exploitability Classification: PROBABLY_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference. Other tags: AccessViolation (20/21)
Additionally this can be run directly from gdb via the 'exploitable' command.
Thanks.