erik cabetas an overview of interpreted language vulns
TRANSCRIPT
Erik CabetasErik Cabetas
An Overview of Interpreted Language Vulns
What is going on here?• A fairly high-level discussion of the security bug
classes that have been found in some interpreted languages in the last couple years.
• To bring awareness about these problems Prognostications as to where we’re going to find more vulns.
• Dominique Brezinski (BH.jp 05) and Justin Ferguson (ph-neutral 08).
What exactly is an “Interpreted Language”?
• You start out with a HLL source code language• At some point in time you want to execute it…so
– The source code goes through a language specific JIT compiler and turned into byte code (optimized ASTs).
– The byte gets run through a VM (optimized execution).
– The VM references external library functionality– The native executable code is produced– Stuff executes
A Picture of said process
We’re not talking about…
• :• Any sort of pre-compiled languages (C, C++,
Fortran, PCL, Assembly)• Any sort of pre-runtime compiled intermediate
language: .NET, Java, JSPs, etc.• Vulnerabilities in language Frameworks/Libraries
(Struts, Spring, etc.)
So then we’re left with these kinds of languages..
• Ruby• Perl• PHP• Python• SQL (PL/SQL, T-SQL, etc.)• JavaScript• VBScript• Regular Expressions
There’s so many lines of code to get right…
• (find . \( -name "*.c" -o -name "*.h" \) -exec wc -l {} \;|awk '{ print $1 }' |xargs|tr ' ' '+'|tr -d '\n' ;echo)|bc
• PHP 5.2.6: 779,862• Ruby 1.8.7-p72: 214,829• PERL 5.8.8: 227,454• PCRE 7.8 27,934
(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)
PCRE.org
• Lib for Regular Expression parsing and execution.
• Found in Apache, GLibc, PHP, KDE, Exim, Postfix, Analog, Nmap….etc.
• Had two widely publicized advisories CVE-2005-2491 & CVE-2008-2371
• {0,-99999999999999}
PCRE.org
• Feb 17 2003 1 overflow fix• Dec 1 2003 1 overflow fix• Aug 1 2005 2 overflow fixes• Feb 1 2006 1 overflow fix• July 4 2006 4 overflow fixes• Dec 6 2006 1 overflow fix• Aug 28 2007 2 overflow fixes• Jan 28 2008 1 overflow fix
There will be more bugs!
There will be more bugs!
Ruby
rb_str_buf_append CVE-2008-2662rb_ary_store CVE-2008-2663rb_str_format CVE-2008-2664rb_ary_splice CVE-2008-2725rb_ary_splice CVE-2008-2726
• Bugs accredited Drew Yao of Apple• but…There will b
e more bugs!
There will be more bugs!
Drew wasn’t the first…
• “jf” is Justin Ferguson
Python• David Remahl of Apple Product Security reported several integer
overflows in core modules such as stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule CVE-2008-2315 he also reported an integer overflow in the hashlib module, leading to unreliable cryptographic digest results CVE-2008-2316.
• Justin Ferguson reported multiple buffer overflows in unicode string processing that only affect 32bit systems CVE-2008-3142. Also found multiple integer underflows and overflows in the PyOS_vsnprintf() function, and an off-by-one error when passing zero-length strings, leading to memory corruption CVE-2008-3144.
• The Google Security Team reported multiple integer overflows CVE-2008-3143
Python Shell…what?
There will be more bugs!
There will be more bugs!
PHP (yeah I know…too easy)
Month^H^H^H^HLife of PHP bugs
• Number of MOPB PHP-specific vulns: 41 • Number of MOPB vulns
already fixed in previous releases (5.2.1/4.4.6): 22 • Number of MOPB vulns fixed in
recent 5.2.2/4.4.7 releases: 14 • Number of MOPB vulns fixed but
not listed in the recent release changelogs: 3 • Number of days between MOPB
end and next PHP release: 32 • Number of post-MOPB bugs
released by MOPB initiative: 1• Number of MOPB vulns not fixed: 5
Where were the bugs?
• Extension lib function 4• Internal VM 15• Available by Default Native function 22• Language Parser 0• VM Byte code interpreter 0
No more bugs!
No more bugs!
Javascript
• Has been done to death…Javascript fuzzers for everything!
• HD Moore, Zalewski Et. Al. have done fuzzing of javascript DOM functions.
• Jesse Ruderman(Mozilla) has released jsfuzzfun.
• More things handle JS than you thinkThere will be more bugs!
There will be more bugs!
SQL• 1. SQL ManipulationSQL Manipulation: manipulation is process of modifying the SQL statements by using various
operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.
• 2. Code InjectionCode Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.
• 3. Function Call InjectionFunction Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.
• 4. Buffer OverflowsBuffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched
• Article by Raheel Ahmad, July 5th 2008 on ezinearticles.com
Where the bugs live..
• Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (MS04-014)
• At the Semantic level…SQL Parser bugs SELECT * FROM breaki%nStuff WHERE AAAAAAAAAAAAAAAA=’foo’
• At the Syntax level….SELECT [[[[[[[[[[[[[FOO] FROM WHATEVER
• At the function, extended procedure, or native procedure level….“Access through Access” by Brett Moore
• At the database kernel level i.e. problems with primitive types, etc….
Only a server-side remote problem?
• Firefox ships with v3.5.4.1 of SQLite• SQLite v3.4.0 a major security cleanup to
remove all sprintf() and strcpy() calls in the code base in June 2007.
• There are 50 native functions in SQLite….• WebKit ships with it’s own implementation of a
lightweight SQL engine.
HTML 5 == Job security
• “Abusing HTML 5 Structured Client-side Storage” by Alberto Trivero
Erik.Cabetas.com
Thanks for
Your time!