Transcript my presentation at OWASP conference 2008

An Overview of Interpreted
Language Vulns
Erik Cabetas
What is going on here?
• A fairly high-level discussion of the security bug
classes that have been found in some
interpreted languages in the last couple years.
• To bring awareness about these problems
Prognostications as to where we’re going to find
more vulns.
•
Dominique Brezinski (BH.jp 05) and Justin Ferguson (ph-neutral 08).
What exactly is an “Interpreted Language”?
• You start out with a HLL source code language
• At some point in time you want to execute it…so
– The source code goes through a language specific
JIT compiler and turned into byte code (optimized
ASTs).
– The byte gets run through a VM (optimized
execution).
– The VM references external library functionality
– The native executable code is produced
– Stuff executes
A Picture of said process
We’re not talking about…
• :
• Any sort of pre-compiled languages (C, C++,
Fortran, PCL, Assembly)
• Any sort of pre-runtime compiled intermediate
language: .NET, Java, JSPs, etc.
• Vulnerabilities in language Frameworks/Libraries
(Struts, Spring, etc.)
•
•
•
•
•
•
•
•
So then we’re left with these kinds of
languages..
Ruby
Perl
PHP
Python
SQL (PL/SQL, T-SQL, etc.)
JavaScript
VBScript
Regular Expressions
There’s so many lines of code to get right…
•
(find . \( -name "*.c" -o -name "*.h" \) -exec wc -l {} \;|awk '{ print $1 }' |xargs|tr ' ' '+'|tr d '\n' ;echo)|bc
•
•
•
•
PHP 5.2.6:
Ruby 1.8.7-p72:
PERL 5.8.8:
PCRE 7.8
779,862
214,829
227,454
27,934
PCRE.org
•
•
•
•
(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]
)+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:
\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(
?:\r\n)?[
Lib
for\t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[
Regular Expression parsing and
\t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\0
execution.
31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\
](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+
Found
in Apache,
GLibc, PHP, KDE, Exim,
(?:(?:(?:\r\n)?[
\t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:
(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\]
\000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z
Postfix,
Analog, Nmap….etc.
|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)
?[ \t])*)*\<(?:(?:\r\n)?[
\t])*(?:@(?:[^()<>@,;:\\".\[\]
\000-\031]+(?:(?:(?:\
Had
two widely
publicized advisories
r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[
CVE-2005-2491
& CVE-2008-2371
\t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\]
\000-\031]+(?:(?:(?:\r\n)
?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t]
{0,-99999999999999}
)*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[
\t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*
)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]
)+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)
PCRE.org
•
•
•
•
•
•
•
•
Feb 17 2003
Dec 1 2003
Aug 1 2005
Feb 1 2006
July 4 2006
Dec 6 2006
Aug 28 2007
Jan 28 2008
1 overflow fix
1 overflow fix
2 overflow fixes
1 overflow fix
4 overflow fixes
1 overflow fix
2 overflow fixes
1 overflow fix
Ruby
rb_str_buf_append CVE-2008-2662
rb_ary_store
CVE-2008-2663
rb_str_format
CVE-2008-2664
rb_ary_splice
CVE-2008-2725
rb_ary_splice
CVE-2008-2726
• Bugs accredited Drew Yao of Apple
• but…
Drew wasn’t the first…
•
“jf” is Justin Ferguson
Python
• David Remahl of Apple Product Security reported several integer
overflows in core modules such as stringobject, unicodeobject,
bufferobject, longobject, tupleobject, stropmodule, gcmodule,
mmapmodule CVE-2008-2315 he also reported an integer overflow
in the hashlib module, leading to unreliable cryptographic digest
results CVE-2008-2316.
• Justin Ferguson reported multiple buffer overflows in unicode string
processing that only affect 32bit systems CVE-2008-3142.
Also found multiple integer underflows and overflows in the
PyOS_vsnprintf() function, and an off-by-one error when passing
zero-length strings, leading to memory corruption CVE-2008-3144.
• The Google Security Team reported multiple integer overflows CVE2008-3143
Python Shell…what?
PHP (yeah I know…too easy)
Month^H^H^H^HLife of PHP bugs
• Number of MOPB PHP-specific vulns:
• Number of MOPB vulns
already fixed in previous releases (5.2.1/4.4.6):
• Number of MOPB vulns fixed in
recent 5.2.2/4.4.7 releases:
• Number of MOPB vulns fixed but
not listed in the recent release changelogs:
• Number of days between MOPB
end and next PHP release:
• Number of post-MOPB bugs
released by MOPB initiative:
• Number of MOPB vulns not fixed:
41
22
14
3
32
1
5
Where were the bugs?
•
•
•
•
•
Extension lib function
Internal VM
Available by Default Native function
Language Parser
VM Byte code interpreter
4
15
22
0
0
Javascript
•
•
•
•
Has been done to death…Javascript fuzzers
for everything!
HD Moore, Zalewski Et. Al. have done
fuzzing of javascript DOM functions.
Jesse Ruderman(Mozilla) has released
jsfuzzfun.
More things handle JS than you think
SQL
•
1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various
operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation
method is by changing the where clause of the SQL statement to get different results.
•
2. Code Injection: Code injection is process of inserting new SQL statements or database
commands into the vulnerable SQL statement. One of the code injection attacks is to append a
SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only
possible when multiple SQL statements per database request are supported.
•
3. Function Call Injection: Function call injection is process of inserting various database function
calls into a vulnerable SQL statement. These function calls could be making operating system
calls or manipulate data in the database.
•
4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the
commercial and open source databases, patches are available. This type of attack is possible
when the server is un-patched
•
Article by Raheel Ahmad, July 5th 2008 on ezinearticles.com
Where the bugs live..
•
•
•
•
•
Vulnerability in the Microsoft Jet Database Engine Could
Allow Code Execution (MS04-014)
At the Semantic level…SQL Parser bugs SELECT * FROM
breaki%nStuff WHERE AAAAAAAAAAAAAAAA=’foo’
At the Syntax level….SELECT [[[[[[[[[[[[[FOO] FROM
WHATEVER
At the function, extended procedure, or native procedure
level….“Access through Access” by Brett Moore
At the database kernel level i.e. problems with primitive
types, etc….
Only a server-side remote problem?
• Firefox ships with v3.5.4.1 of SQLite
• SQLite v3.4.0 a major security cleanup to
remove all sprintf() and strcpy() calls in the code
base in June 2007.
• There are 50 native functions in SQLite….
• WebKit ships with it’s own implementation of a
lightweight SQL engine.
HTML 5 == Job security
• “Abusing HTML 5
Structured
Client-side
Storage” by
Alberto
Trivero
Erik.Cabetas.com
Thanks for
Your time!