Man Linux: Main Page and Category List


       bfbtester - Brute Force Binary Tester


       bfbtester  [-htv]  [-d level] [-r rejects] [-o out-file] [-x max-execs]
       -a|[-sme] files ...


       BFBTester is great for  doing  quick,  proactive,  security  checks  of
       binary  programs.  BFBTester will perform checks of single and multiple
       argument  command  line  overflows  as  well  as  environment  variable
       overflows.  BFBTester  can also watch for tempfile creation activity to
       alert the user of any  programs  using  unsafe  tempfile  names.  While
       BFBTester  can  not  test  all  overflows in software, it is useful for
       detecting initial mistakes that can red flag dangerous software.


       You must specify one or more of the following tests:

       -s     Single Argument Test.

       -m     Multiple Argument Test.

       -e     Environment Variable Test.

       -a     Selects all tests
              Other options:

       -h     Print help.

       -t     Enable tempfile monitoring.

       -v     Print version string.

       -d level
              Set debug level (default = 0, max = 2).

       -r rejects
              Comma separated list of binaries to skip.

       -o out-file
              Output to out-file rather than stdout.

       -x max-execs
              Set maximum executables to run in parallel (default = 250).

       file   Specific binary or a directory of binaries to test.


       You must specify at least one test to run and you must specify either a
       binary or a directory.

       Executable selection is now done in one of several ways:

       If  the  executable  filename  is  specified  with  a leading slash (an
       absolute path), no selection is used and the supplied absolute filename
       is used.

       If  there  is no leading slash in the filename the selection is made in
       one of two ways (in this order):
         1) Prepend file name with $PWD and test accesiblity
         2) Search through $PATH and  find  first  accessible  executable  The
       first one to succeed is the executable choosen.

       If  the filename found is a directory, we walk the directory (one level
       deep) looking for executable binaries.

       Symbolic links are followed.

       You  can  specify  binaries  to  skip  (useful  when  loading  a  whole
       directory) by using the -r option.

       The following is a crash report:

       *** Crash </usr/bin/patch> ***
        args:           -D [05120]
        envs:           (null)
        Signal:         11 ( Segmentation fault )
        Core?           Yes

       This  means  "/usr/bin/patch"  crashed when fed with an "-D" and a word
       5,120 characters long:

       $ /usr/bin/patch -D AAA...5,120 characters...AAA

       (Numbers in brackets mean replace with  a  word  that  many  characters

       BFBTester  is  very  CPU  intensive,  and  will open many files, so you
       probably don’t want to run it  on  a  production  machine  during  it’s
       busiest period. Just a warning...


       bfbtester -s /usr/bin
              Run the single argument test on all binaries in folder /usr/bin.

       bfbtester -ta patch traceroute
              Run all tests against patch and traceroute and run the  tempfile

       bfbtester -a ./bfbtester
              Tests bfbtester (provided it’s in the same directory).

       bfbtester -r kill /usr/bin/kill
              Does nothing.


       This  manual  page  was written by Karl Soderstrom <>, for
       the Debian GNU/Linux system (but may be used by others).

                               januari 23, 2001