english only
School of Computer and Communication Sciences
LASEC - Security and Cryptography Laboratory
EPFL > IC > LASEC > publications
Banner IC
INDEX
Home
People
Research
Teaching
Publications
Softwares & Events
Intranet
How to reach us

CONTACT

EPFL - I&C - ISC - LASEC
Station 14 - Building INF
CH-1015 Lausanne
Switzerland

Tel. +41 21 693 7603
Fax. +41 21 693 7689

The security bug catcher

Summary

The security bug catcher is a tool for the automatic discovery of vulnerabilities in network based applications. It is based on two separate specifications: the protocol specification describes the interactions with the system under test: its states, the messages that can be sent in each state and the possible state transitions based on responses. Each message is described by a generic syntax. The second specification describes the bugs to look out for. It describes all possible variants that should be used for all given syntaxes. The advantage of having two distinct specifications makes it possible to search for the same kind of errors in different applications, or to validate the same set of applications against new types of errors.

Typical bugs that are discovered by the bugcatcher are buffer overflows, parameters out of range, format string vulnerabilities and incorrect behaviour on unexpected commands.

The security bug catcher was programmed by Olivier Filols and Andreas Regg.

Publications

  • The security bug catcher, reloaded

    This is the report of the second semester project on this subject.

Download

  • Security bug catcher V2.0

    Tarball with sources and java binaries.

Vulnerability reports

While testing the security bug catcher we have discovered various vulnerabilities. Most of the had already been documented but a few where unpublished vulnerabilities.

  • Platinum FTP Format string vulnerability

    Platinum FTP server 1.0.18 contains various format strings vulnerabilities. Inserting multiple %s characters in the username or in several commands crashes the server. The vulnerability may allow an attacker to run arbitrary commands in the server context.

    References: Bugtraq Id 9262 Secunia advisory: SA10491

  • Oftpd denial of service vulnerability

    Oftpd 0.3.6 (part of the Debian linux distribution) does not correctly handle unexpected values in the PORT command. A PORT command with an argument that is higher than 255 crashes the server

    References: Bugtraq Id 9262 Secunia advisory: SA10491


Philippe Oechslin, Last modified: June 2004

© 2011, EPFL