NAME
bfbtester - Brute Force Binary Tester
SYNOPSIS
bfbtester [-htv] [-d level] [-r rejects] [-o out-file] [-x max-execs]
-a|[-sme] files ...
DESCRIPTION
BFBTester is great for doing quick, proactive, security checks of
binary programs. BFBTester will perform checks of single and multiple
argument command line overflows as well as environment variable
overflows. BFBTester can also watch for tempfile creation activity to
alert the user of any programs using unsafe tempfile names. While
BFBTester can not test all overflows in software, it is useful for
detecting initial mistakes that can red flag dangerous software.
OPTIONS
You must specify one or more of the following tests:
-s Single Argument Test.
-m Multiple Argument Test.
-e Environment Variable Test.
-a Selects all tests
Other options:
-h Print help.
-t Enable tempfile monitoring.
-v Print version string.
-d level
Set debug level (default = 0, max = 2).
-r rejects
Comma separated list of binaries to skip.
-o out-file
Output to out-file rather than stdout.
-x max-execs
Set maximum executables to run in parallel (default = 250).
file Specific binary or a directory of binaries to test.
OVERVIEW
You must specify at least one test to run and you must specify either a
binary or a directory.
Executable selection is now done in one of several ways:
If the executable filename is specified with a leading slash (an
absolute path), no selection is used and the supplied absolute filename
is used.
If there is no leading slash in the filename the selection is made in
one of two ways (in this order):
1) Prepend file name with $PWD and test accesiblity
2) Search through $PATH and find first accessible executable The
first one to succeed is the executable choosen.
If the filename found is a directory, we walk the directory (one level
deep) looking for executable binaries.
Symbolic links are followed.
You can specify binaries to skip (useful when loading a whole
directory) by using the -r option.
The following is a crash report:
*** Crash </usr/bin/patch> ***
args: -D [05120]
envs: (null)
Signal: 11 ( Segmentation fault )
Core? Yes
This means "/usr/bin/patch" crashed when fed with an "-D" and a word
5,120 characters long:
$ /usr/bin/patch -D AAA...5,120 characters...AAA
(Numbers in brackets mean replace with a word that many characters
long)
BFBTester is very CPU intensive, and will open many files, so you
probably don’t want to run it on a production machine during it’s
busiest period. Just a warning...
EXAMPLES
bfbtester -s /usr/bin
Run the single argument test on all binaries in folder /usr/bin.
bfbtester -ta patch traceroute
Run all tests against patch and traceroute and run the tempfile
monitor.
bfbtester -a ./bfbtester
Tests bfbtester (provided it’s in the same directory).
bfbtester -r kill /usr/bin/kill
Does nothing.
AUTHOR
This manual page was written by Karl Soderstrom <ks@debian.org>, for
the Debian GNU/Linux system (but may be used by others).
januari 23, 2001