The state of things

Right now if you pick up a random tool from a Linux system that does file parsing and fuzz it chances are high that you'll immediately hit some segfaults. This is a pretty dismal state.

This affects all kinds of tools and libraries. Image parsing, executable handling, compilers, disassemblers, office file viewers / decoders etc.

There are a few exceptions. Everything that is used by browsers (for example image and multimedia libraries) is usually in a better state. Browsers receive far greater attention when it comes to security issues and the big projects have bug bounty programs.

The story of strings

This tweet and the follow-up discussion was quite a surprise to some people:

Quick quiz: would you ever run strings on an untrusted file?

strings is a tool that's avaliable on most Unix/Linux systems. It parses binary files and prints out everything that is in printable ASCII chars. However, few people knew that it does more than that. Running strings on executable files will decode their symbol table with libbfd. strings and libbfd are part of binutils.

Tavis Ormandy already found a crasher in strings in 2005. After an initial discovery of a crasher by Michael Zalewski other people started fuzzing binutils and found a sheer endless number of further issues.

The bottom line: Even tools where you wouldn't expect it can be dangerous if you run them on untrusted input. strings can be convinced to behave like most people expect it with the parameter -a. Then it won't parse executables and just print printable characters.

The story of less and lesspipe

less is a very common tool in Linux/Unix systems to view text files. However less has a feature that you can define a script through the environment variable LESSPIPE. If this is done then all input is pre-piped through the given script.

Most Linux distributions ship a script lesspipe or and automatically set the env var. This script will determine a suitable tool to parse the input by the file extension. Usually this includes a vast number of tools that should mostly be considered insecure when it comes to untrusted input.

The story is made more complicated by the fact that there's no single lesspipe script. Every Linux distribution is doing its own thing here and there are various variations of it (generic, Fedora, Gentoo, Debian).

The Fuzzing Project is run by Hanno Böck