Some time ago we got the idea to select projects alphabetically, pick a project for each letter from a to z and find at least one bug in it.
We don’t have a strict plan, rules or deadlines. We treat it is a freestyle battle and we just test whatever we want to.
Our goal is to try different approaches including many flavours of fuzzing, code review, static analysis, dynamic
analysis, divination etc. We’re going to write not only about what worked for us, but also about our failures. We plan
to issue posts on each letter randomly, so here’s the first post for the letter A!
A is for Alpine.
Alpine is a terminal e-mail client which was created
at the University of Washington as a Pine rewrite. The truth behind this choice is that our friend is a hard-core
alpine user, while some of us are in the mutt camp. So we thought that it would be fun to crash his favourite
We tried to take a simpliest possible approach to cause crashes and detect them.
To generate test cases we decided to use the greatest mutator available - Radamsa.
It is just a binary, so we created a simple python wrapper:
As Alpine has many options, we chose a few ones which seemed to have the greatest potential:
Detection was based on AddressSanitizer (ASan) - memory error detector, which have to enabled during compilation:
ASan also required runtime configuration, to save crashes with names allowing to track corresponding test case and its payload to repeat a crash.
The last step was to run Alpine from the script. It wasn’t so easy as just executing a binary with generated options, because Alpine runs in an interactive mode and some options may cause a problem after a while. Passing the process to the background (& at the end of a command) wasn’t an options because the binary paused execution. So we utilized GNU Screen. We would start Alpine inside a screen, give one second to crash and then kill a running screen.
Our another take was to try crash alpine via mailbox, so we crafted a super simple script with a hope that we’ll find something interesting in the parsing. So we downloaded tons of spam and tried to mutate it with radamsa.
We didn’t found anything, BUT we found a bug with a non-tty file passed a stdin which is described below. :)
After some time of executing the scripts, crashes became to appear. From many repetitive crashes, we extracted a few unique ones.
empty url fragment:
invalid format of last-time-prune-questioned option:
printf formatting characters in option name:
extremely long option name:
crash on file that is not a tty:
Quick analysis of the last bug
the problem is in alpine.c:
if condition is passed by stdin_getc != NULL and args.action = aaFolder:
stdin_getc is set when stdin is not a tty, args.action is set because of -f switch which copies data to args.data:
the problem is that it’s an union and code internally uses args.data.mail.addrlist
which points to the string:
So the bug seems to be caused by the confusion of args.data usage. Exploitability we left as an exercise for you, dear reader!
For the four bugs we created patches. These patches and detailed description of the last crash were sent to the developer responsible for Alpine project. He quickly reacted reviewing and accepting our patches and fixing the fifth crash within a few days! Much more can be done with Alpine, as we didn’t found a way to crash it from the remote.
According to art. 13 of the General Regulation on the Protection of Personal Data of 27 April 2016 (Official Journal EU L 119 of 04.05.2016) I inform that:
Data Administrator: The administrator of your personal data is Logicaltrust sp. z o.o. sp. k., with its registered office at ul. Aleksandra Brücknera, 25-43, 51-411 Wrocław, Tax Identification Number (NIP): 8952177980, National Business Registry Number (REGON): 369271084, National Court Register Number (KRS): 0000713515.
Contact with the Data Administrator: You can contact the data administrator via email at: email@example.com or by traditional mail by sending a letter to the administrator's registered office address.
Purpose and Legal Basis for Processing Personal Data: Your personal data will be processed by the data administrator for the purpose of responding to your inquiries, executing requested contact, taking actions prior to entering into a contract, performing the contract, establishing business relationships, presenting offers upon potential client's request (based on Art. 6(1)(a), (b), and (f) of the General Data Protection Regulation).
Data Processing Period: Your personal data will be processed for the time necessary to clarify your matter and provide a comprehensive response. They will also be processed for the duration of cooperation and the contract (in this case, the data is processed as client data). In the event of non-cooperation, the data will be promptly deleted unless there is a need for further retention for the purpose of defense and protection against claims. In cases where the processing of personal data is based on voluntarily given consent according to Art. 6(1)(a) of the General Data Protection Regulation, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, in accordance with the applicable law.
Scope of Processed Data: The scope of processed data includes: first name, last name, email, and phone number.
Recipients of Personal Data: In specific situations, your personal data may be disclosed, for example, to fulfill a legal obligation or to exercise legally justified interests pursued by the data administrator or by a third party. The categories of recipients to whom the data administrator may disclose your personal data are entities or authorities authorized by law and service providers processing personal data on behalf of the data administrator based on data processing agreements (e.g., hosting company).
Data Transfers: Your personal data will not be transferred outside the European Economic Area.
Rights and Entitlements: You have the right to request access to your personal data, their correction, deletion, or processing limitations, as well as the right to object to data processing. You also have the right to file a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw) if you believe that the processing of personal data violates data protection regulations.
Additional Information: Providing data is voluntary, but failure to provide data necessary for correspondence may hinder the execution and maintenance of contact.
1. About cookies - Cookies are small data files, especially text files, which are stored by a server on your computer. With these files, your device will be recognized and, in consequence, the way a given website is presented will be adjusted to your personal preferences. Cookies usually contain the name of the website from which they originate, information on how long they have been stored on the device and a unique number.
2. Which type of cookies do we use - Session cookies – temporary files which are stored on your device until you log out from a given website or close the Internet browser. Persistent cookies – permanent files that remain on your device for a fixed period (specified in the parameters of the file) or until they are deleted manually. Third-party cookies – files that adjust the way a given website is presented to your personal preferences.