Presentation is loading. Please wait.

Presentation is loading. Please wait.

Erik Cabetas An Overview of Interpreted Language Vulns.

Published byMadlyn Harrell Modified over 9 years ago

Similar presentations

Presentation on theme: "Erik Cabetas An Overview of Interpreted Language Vulns."— Presentation transcript:

1 Erik Cabetas An Overview of Interpreted Language Vulns

2 What is going on here? A fairly high-level discussion of the security bug classes that have been found in some interpreted languages in the last couple years. To bring awareness about these problems Prognostications as to where we ’ re going to find more vulns. Dominique Brezinski (BH.jp 05) and Justin Ferguson (ph-neutral 08).

3 What exactly is an “Interpreted Language”? You start out with a HLL source code language At some point in time you want to execute it … so –The source code goes through a language specific JIT compiler and turned into byte code (optimized ASTs). –The byte gets run through a VM (optimized execution). –The VM references external library functionality –The native executable code is produced –Stuff executes

4 A Picture of said process

5 We’re not talking about… : Any sort of pre-compiled languages (C, C++, Fortran, PCL, Assembly) Any sort of pre-runtime compiled intermediate language:.NET, Java, JSPs, etc. Vulnerabilities in language Frameworks/Libraries (Struts, Spring, etc.)

6 So then we’re left with these kinds of languages.. Ruby Perl PHP Python SQL (PL/SQL, T-SQL, etc.) JavaScript VBScript Regular Expressions

7 There’s so many lines of code to get right… (find. \( -name "*.c" -o -name "*.h" \) -exec wc -l {} \;|awk '{ print $1 }' |xargs|tr ' ' '+'|tr - d '\n' ;echo)|bc PHP 5.2.6: 779,862 Ruby 1.8.7-p72: 214,829 PERL 5.8.8: 227,454 PCRE 7.8 27,934

8 (?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?: \r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:( ?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\0 31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\ ](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+ (?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?: (?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z |(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n) ?[ \t])*)*\ @,;:\\".\[\] \000-\031]+(?:(?:(?:\ r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n) ?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t] )*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])* )(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*) PCRE.org Lib for Regular Expression parsing and execution. Found in Apache, GLibc, PHP, KDE, Exim, Postfix, Analog, Nmap….etc. Had two widely publicized advisories CVE-2005-2491 & CVE-2008-2371 {0,-99999999999999}

9 PCRE.org Feb 17 2003 1 overflow fix Dec 1 2003 1 overflow fix Aug 1 2005 2 overflow fixes Feb 1 2006 1 overflow fix July 4 2006 4 overflow fixes Dec 6 2006 1 overflow fix Aug 28 2007 2 overflow fixes Jan 28 2008 1 overflow fix There will be more bugs!

10

11 Ruby rb_str_buf_appendCVE-2008-2662 rb_ary_storeCVE-2008-2663 rb_str_formatCVE-2008-2664 rb_ary_spliceCVE-2008-2725 rb_ary_splice CVE-2008-2726 Bugs accredited Drew Yao of Apple but… There will be more bugs!

12 Drew wasn’t the first… “jf” is Justin Ferguson

13 Python David Remahl of Apple Product Security reported several integer overflows in core modules such as stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule CVE-2008-2315 he also reported an integer overflow in the hashlib module, leading to unreliable cryptographic digest results CVE-2008-2316. Justin Ferguson reported multiple buffer overflows in unicode string processing that only affect 32bit systems CVE-2008-3142. Also found multiple integer underflows and overflows in the PyOS_vsnprintf() function, and an off-by-one error when passing zero-length strings, leading to memory corruption CVE-2008-3144. The Google Security Team reported multiple integer overflows CVE- 2008-3143

14 Python Shell…what? There will be more bugs!

15 PHP (yeah I know…too easy)

16 Month^H^H^H^HLife of PHP bugs Number of MOPB PHP-specific vulns: 41 Number of MOPB vulns already fixed in previous releases (5.2.1/4.4.6): 22 Number of MOPB vulns fixed in recent 5.2.2/4.4.7 releases: 14 Number of MOPB vulns fixed but not listed in the recent release changelogs: 3 Number of days between MOPB end and next PHP release: 32 Number of post-MOPB bugs released by MOPB initiative: 1 Number of MOPB vulns not fixed: 5

17 Where were the bugs? Extension lib function4 Internal VM15 Available by Default Native function22 Language Parser0 VM Byte code interpreter0 No more bugs!

18 Javascript Has been done to death…Javascript fuzzers for everything! HD Moore, Zalewski Et. Al. have done fuzzing of javascript DOM functions. Jesse Ruderman(Mozilla) has released jsfuzzfun. More things handle JS than you think There will be more bugs!

19 SQL SQL Manipulation1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION.Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results. Code Injection2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported. Function Call Injection3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database. Buffer Overflows4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched Article by Raheel Ahmad, July 5 th 2008 on ezinearticles.com

20 Where the bugs live.. Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (MS04-014) At the Semantic level…SQL Parser bugs SELECT * FROM breaki%nStuff WHERE AAAAAAAAAAAAAAAA=’foo’ At the Syntax level….SELECT [[[[[[[[[[[[[FOO] FROM WHATEVER At the function, extended procedure, or native procedure level….“Access through Access” by Brett Moore At the database kernel level i.e. problems with primitive types, etc….

21 Only a server-side remote problem? Firefox ships with v3.5.4.1 of SQLite SQLite v3.4.0 a major security cleanup to remove all sprintf() and strcpy() calls in the code base in June 2007. There are 50 native functions in SQLite…. WebKit ships with it’s own implementation of a lightweight SQL engine.

22 HTML 5 == Job security “Abusing HTML 5 Structured Client-side Storage” by Alberto Trivero

23 Erik.Cabetas.com Thanks for Your time!

Download ppt "Erik Cabetas An Overview of Interpreted Language Vulns."

Similar presentations

Bruce Beckles University of Cambridge Computing Service

Bruce Beckles University of Cambridge Computing Service
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
HTTP Request/Response Process 1.Enter URL (http://server.com) in your browser’s address bar. 2.Your browser uses DNS to look up IP address of server.com.

HTTP Request/Response Process 1.Enter URL ( in your browser’s address bar. 2.Your browser uses DNS to look up IP address of server.com.
CS105 INTRODUCTION TO COMPUTER CONCEPTS INTRO TO PROGRAMMING Instructor: Cuong (Charlie) Pham.

CS105 INTRODUCTION TO COMPUTER CONCEPTS INTRO TO PROGRAMMING Instructor: Cuong (Charlie) Pham.
Apache Tomcat Server Typical html Request/Response cycle

Apache Tomcat Server Typical html Request/Response cycle
1 The Information School of the University of Washington Nov 3fit100-17-context © 2006 University of Washington JavaScript Context INFO/CSE 100, Fall 2006.

1 The Information School of the University of Washington Nov 3fit context © 2006 University of Washington JavaScript Context INFO/CSE 100, Fall 2006.
Scripting Languages CS 351 – Programming Paradigms.

Scripting Languages CS 351 – Programming Paradigms.
Scripting Languages CS351 – Programming Paradigms.

Scripting Languages CS351 – Programming Paradigms.
8 Server Side Scripting.

8 Server Side Scripting.
Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.

Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.
A Scanner Sparkly Web Application Proxy Editors and Scanners.

A Scanner Sparkly Web Application Proxy Editors and Scanners.
Server Side Scripting Norman White. Where do we do processing? Client side – Javascript (embed code in html) – Java applets (send java program to run.

Server Side Scripting Norman White. Where do we do processing? Client side – Javascript (embed code in html) – Java applets (send java program to run.
Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.
COMP6015 - An Introduction to Computer Programming : University of the West Indies COMP6015 An Introduction to Computer Programming Lecture 03.

COMP An Introduction to Computer Programming : University of the West Indies COMP6015 An Introduction to Computer Programming Lecture 03.
Languages and tools. BY SA machine code.

Languages and tools. BY SA machine code.
Programming In C++ Spring Semester 2013 Programming In C++, Lecture 1.

Programming In C++ Spring Semester 2013 Programming In C++, Lecture 1.
What we are going to talk about? New Version of Canape Released at Ruxcon What is the VMware ESXi management protocol? In Canape: – MitM – Traffic Parsing.

What we are going to talk about? New Version of Canape Released at Ruxcon What is the VMware ESXi management protocol? In Canape: – MitM – Traffic Parsing.
Introduction to Programming Language CS105 Programming Language First-generation: Machine language Second-generation: Assembly language Third-generation:

Introduction to Programming Language CS105 Programming Language First-generation: Machine language Second-generation: Assembly language Third-generation:
Copyright © 2008-2014 Curt Hill PhP History and Introduction.

Copyright © Curt Hill PhP History and Introduction.

Similar presentations

Ads by Google