Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Tandem Computers wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Navitaire Inc v Easyjet Airline Co. and BulletProof Technologies, Inc. wikipedia , lookup
Database model wikipedia , lookup
Clusterpoint wikipedia , lookup
Relational model wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
An Overview of Interpreted Language Vulns Erik Cabetas What is going on here? • A fairly high-level discussion of the security bug classes that have been found in some interpreted languages in the last couple years. • To bring awareness about these problems Prognostications as to where we’re going to find more vulns. • Dominique Brezinski (BH.jp 05) and Justin Ferguson (ph-neutral 08). What exactly is an “Interpreted Language”? • You start out with a HLL source code language • At some point in time you want to execute it…so – The source code goes through a language specific JIT compiler and turned into byte code (optimized ASTs). – The byte gets run through a VM (optimized execution). – The VM references external library functionality – The native executable code is produced – Stuff executes A Picture of said process We’re not talking about… • : • Any sort of pre-compiled languages (C, C++, Fortran, PCL, Assembly) • Any sort of pre-runtime compiled intermediate language: .NET, Java, JSPs, etc. • Vulnerabilities in language Frameworks/Libraries (Struts, Spring, etc.) • • • • • • • • So then we’re left with these kinds of languages.. Ruby Perl PHP Python SQL (PL/SQL, T-SQL, etc.) JavaScript VBScript Regular Expressions There’s so many lines of code to get right… • (find . \( -name "*.c" -o -name "*.h" \) -exec wc -l {} \;|awk '{ print $1 }' |xargs|tr ' ' '+'|tr d '\n' ;echo)|bc • • • • PHP 5.2.6: Ruby 1.8.7-p72: PERL 5.8.8: PCRE 7.8 779,862 214,829 227,454 27,934 PCRE.org • • • • (?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?: \r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:( ?:\r\n)?[ Lib for\t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ Regular Expression parsing and \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\0 execution. 31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\ ](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+ Found in Apache, GLibc, PHP, KDE, Exim, (?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?: (?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z Postfix, Analog, Nmap….etc. |(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n) ?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\ Had two widely publicized advisories r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ CVE-2005-2491 & CVE-2008-2371 \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n) ?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t] {0,-99999999999999} )*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])* )(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*) PCRE.org • • • • • • • • Feb 17 2003 Dec 1 2003 Aug 1 2005 Feb 1 2006 July 4 2006 Dec 6 2006 Aug 28 2007 Jan 28 2008 1 overflow fix 1 overflow fix 2 overflow fixes 1 overflow fix 4 overflow fixes 1 overflow fix 2 overflow fixes 1 overflow fix Ruby rb_str_buf_append CVE-2008-2662 rb_ary_store CVE-2008-2663 rb_str_format CVE-2008-2664 rb_ary_splice CVE-2008-2725 rb_ary_splice CVE-2008-2726 • Bugs accredited Drew Yao of Apple • but… Drew wasn’t the first… • “jf” is Justin Ferguson Python • David Remahl of Apple Product Security reported several integer overflows in core modules such as stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule CVE-2008-2315 he also reported an integer overflow in the hashlib module, leading to unreliable cryptographic digest results CVE-2008-2316. • Justin Ferguson reported multiple buffer overflows in unicode string processing that only affect 32bit systems CVE-2008-3142. Also found multiple integer underflows and overflows in the PyOS_vsnprintf() function, and an off-by-one error when passing zero-length strings, leading to memory corruption CVE-2008-3144. • The Google Security Team reported multiple integer overflows CVE2008-3143 Python Shell…what? PHP (yeah I know…too easy) Month^H^H^H^HLife of PHP bugs • Number of MOPB PHP-specific vulns: • Number of MOPB vulns already fixed in previous releases (5.2.1/4.4.6): • Number of MOPB vulns fixed in recent 5.2.2/4.4.7 releases: • Number of MOPB vulns fixed but not listed in the recent release changelogs: • Number of days between MOPB end and next PHP release: • Number of post-MOPB bugs released by MOPB initiative: • Number of MOPB vulns not fixed: 41 22 14 3 32 1 5 Where were the bugs? • • • • • Extension lib function Internal VM Available by Default Native function Language Parser VM Byte code interpreter 4 15 22 0 0 Javascript • • • • Has been done to death…Javascript fuzzers for everything! HD Moore, Zalewski Et. Al. have done fuzzing of javascript DOM functions. Jesse Ruderman(Mozilla) has released jsfuzzfun. More things handle JS than you think SQL • 1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results. • 2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported. • 3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database. • 4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched • Article by Raheel Ahmad, July 5th 2008 on ezinearticles.com Where the bugs live.. • • • • • Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (MS04-014) At the Semantic level…SQL Parser bugs SELECT * FROM breaki%nStuff WHERE AAAAAAAAAAAAAAAA=’foo’ At the Syntax level….SELECT [[[[[[[[[[[[[FOO] FROM WHATEVER At the function, extended procedure, or native procedure level….“Access through Access” by Brett Moore At the database kernel level i.e. problems with primitive types, etc…. Only a server-side remote problem? • Firefox ships with v3.5.4.1 of SQLite • SQLite v3.4.0 a major security cleanup to remove all sprintf() and strcpy() calls in the code base in June 2007. • There are 50 native functions in SQLite…. • WebKit ships with it’s own implementation of a lightweight SQL engine. HTML 5 == Job security • “Abusing HTML 5 Structured Client-side Storage” by Alberto Trivero Erik.Cabetas.com Thanks for Your time!