Erik Cabetas

An Overview of Interpreted Language Vulns Erik Cabetas

What is going on here? • A fairly high-level discussion of the security bug classes that have been found in some interpreted languages in the last couple years. • To bring awareness about these problems Prognostications as to where we’re going to find more vulns. • Dominique Brezinski (BH.jp 05) and Justin Ferguson (ph-neutral 08).

What exactly is an “Interpreted Language”? • You start out with a HLL source code language • At some point in time you want to execute it…so • The source code goes through a language specific JIT compiler and turned into byte code (optimized ASTs). • The byte gets run through a VM (optimized execution). • The VM references external library functionality • The native executable code is produced • Stuff executes

A Picture of said process

We’re not talking about… • : • Any sort of pre-compiled languages (C, C++, Fortran, PCL, Assembly) • Any sort of pre-runtime compiled intermediate language: .NET, Java, JSPs, etc. • Vulnerabilities in language Frameworks/Libraries (Struts, Spring, etc.)

So then we’re left with these kinds of languages.. • Ruby • Perl • PHP • Python • SQL (PL/SQL, T-SQL, etc.) • JavaScript • VBScript • Regular Expressions

There’s so many lines of code to get right… • (find . $ -name "*.c" -o -name "*.h" $ -exec wc -l {} \;|awk '{ print $1 }' |xargs|tr ' ' '+'|tr -d '\n' ;echo)|bc • PHP 5.2.6: 779,862 • Ruby 1.8.7-p72: 214,829 • PERL 5.8.8: 227,454 • PCRE 7.8 27,934

PCRE.org (?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?: \r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:( ?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\0 31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\ ](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+ (?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?: (?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z |(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n) ?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\ r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n) ?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t] )*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])* )(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*) • Lib for Regular Expression parsing and execution. • Found in Apache, GLibc, PHP, KDE, Exim, Postfix, Analog, Nmap….etc. • Had two widely publicized advisories CVE-2005-2491 & CVE-2008-2371 • {0,-99999999999999}

PCRE.org • Feb 17 2003 1 overflow fix • Dec 1 2003 1 overflow fix • Aug 1 2005 2 overflow fixes • Feb 1 2006 1 overflow fix • July 4 2006 4 overflow fixes • Dec 6 2006 1 overflow fix • Aug 28 2007 2 overflow fixes • Jan 28 2008 1 overflow fix There will be more bugs!

Ruby rb_str_buf_append CVE-2008-2662rb_ary_store CVE-2008-2663rb_str_format CVE-2008-2664rb_ary_splice CVE-2008-2725rb_ary_splice CVE-2008-2726 • Bugs accredited Drew Yao of Apple • but… There will be more bugs!

Drew wasn’t the first… • “jf” is Justin Ferguson

Python • David Remahl of Apple Product Security reported several integer overflows in core modules such as stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule CVE-2008-2315 he also reported an integer overflow in the hashlib module, leading to unreliable cryptographic digest results CVE-2008-2316. • Justin Ferguson reported multiple buffer overflows in unicode string processing thatonly affect 32bit systems CVE-2008-3142. Also found multiple integer underflows and overflows in the PyOS_vsnprintf() function, and an off-by-one error when passing zero-length strings, leading to memory corruption CVE-2008-3144. • The Google Security Team reported multiple integer overflows CVE-2008-3143

Python Shell…what? There will be more bugs!

PHP (yeah I know…too easy)

Month^H^H^H^HLife of PHP bugs • Number of MOPB PHP-specific vulns: 41 • Number of MOPB vulns already fixed in previous releases (5.2.1/4.4.6): 22 • Number of MOPB vulns fixed in recent 5.2.2/4.4.7 releases: 14 • Number of MOPB vulns fixed but not listed in the recent release changelogs: 3 • Number of days between MOPB end and next PHP release: 32 • Number of post-MOPB bugs released by MOPB initiative: 1 • Number of MOPB vulns not fixed: 5

Where were the bugs? • Extension lib function 4 • Internal VM 15 • Available by Default Native function 22 • Language Parser 0 • VM Byte code interpreter 0 No more bugs!

Javascript • Has been done to death…Javascript fuzzers for everything! • HD Moore, Zalewski Et. Al. have done fuzzing of javascript DOM functions. • Jesse Ruderman(Mozilla) has released jsfuzzfun. • More things handle JS than you think There will be more bugs!

SQL • 1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results. • 2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported. • 3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database. • 4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched • Article by Raheel Ahmad, July 5th 2008 on ezinearticles.com

Where the bugs live.. • Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (MS04-014) • At the Semantic level…SQL Parser bugs SELECT * FROM breaki%nStuff WHERE AAAAAAAAAAAAAAAA=’foo’ • At the Syntax level….SELECT [[[[[[[[[[[[[FOO] FROM WHATEVER • At the function, extended procedure, or native procedure level….“Access through Access” by Brett Moore • At the database kernel level i.e. problems with primitive types, etc….

Only a server-side remote problem? • Firefox ships with v3.5.4.1 of SQLite • SQLite v3.4.0 a major security cleanup to remove all sprintf() and strcpy() calls in the code base in June 2007. • There are 50 native functions in SQLite…. • WebKit ships with it’s own implementation of a lightweight SQL engine.

HTML 5 == Job security • “Abusing HTML 5 Structured Client-side Storage” by Alberto Trivero

Erik.Cabetas.com Thanks for Your time!

Erik Cabetas

Erik Cabetas

Presentation Transcript

Erik Erikson

Erik Ranheim

Erik Erikson

ERIK ERIKSON

Erik Fröjdh

Erik Erikson

Erik Erikson

Erik Erikson

Erik Verlinde

Erik Satie

Erik Erikson

Erik Erikson

Erik Larson

Erik Erikson

Erik Erikson

Erik Flowers

ERIK