Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

TALK ABSTRACT - Erik Cabetas

advertisement 
TALK ABSTRACT
The idea of this talk is to expand upon the recent vulnerabilities disclosed in the ruby and
pythons language as well as discuss other languages and potential areas of vulnerability
within them.
TALK SUMMARY
Prognostication and Challenges: Vulnerabilities in interpreted languages.
I’d like to cover in this presentation is examining the problem of interpreted language
vulnerabilities as whole with the mindset of the “same bug class...different
language…different scenario”.
Other work in this area has been done by: Dominique Brezinski (BH.jp 05) and Justin
Ferguson (ph-neutral 08).
GENERAL FLOW
1. “Vulnerabilities in application interpreters and runtimes.” by Erik Cabetas
2. What we’ll be touching on...
What we will not be covering:
 Any sort of pre-compiled languages
(C, C++, Fortran, PCL, Assembly)
 Any sort of intermediate language compiled language (pre-runtime).
.NET, Java, JSPs, etc.
 Vulnerabilities in language Framework/Libraries (Struts, Spring, etc.)
Interpreted languages (JIT runtimes):
 Ruby
 Perl
 PHP
 Python
 SQL (PL/SQL, T-SQL, etc.)
 JavaScript
 VBScript
3. We should go over what an interpreted language is what how it gets translated and
then turn into machine code, this should be done completely for at least for one
language. This will give the high-level audience (i.e. managers that do not have
technical background) a brief look into what goes on at lower levels of the
language’s execution.
4. We should summarize the activities in the area of interpreted language
vulnerabilities for this past year two years.
(find . \( -name "*.c" -o -name "*.h" \) -exec wc -l {} \;|awk '{ print $1 }' |xargs|tr '
' '+'|tr -d '\n' ;echo)|bc
PHP 5: 779,862
Ruby 1.8.7-p72: 214,829
PERL 5.8.8: 227,454
PCRE 7.8 27,934
a. Regular Expressions
PCRE.org library
Apache, PHP, KDE, Postfix, Analog, and Nmap.
CVE-2005-2491
CVE-2008-2371
Search for “overflow” in change log of PCRE:
Jan 28 2008 – 1 overflow fix
Aug 28 2007 – 2 overflow fixes
Dec 6 2006 – 1 overflow fix
July 4 2006 – 4 overflow fixes
Feb 1 2006 – 1 overflow fix
Aug 1 2005 – 2overflow fixes
Dec 1 2003 – 1 overflow fix
Feb 17 2003 – 1 overflow fix
b. We have seen vulnerabilities published in ruby
Review published Ruby vulns
Show bignum bug and possibly any regex bugs
rb_str_buf_append
CVE-2008-2662
rb_ary_store
CVE-2008-2663
rb_str_format
CVE-2008-2664
rb_ary_splice
CVE-2008-2725
rb_ary_splice
CVE-2008-2726
c. Multiple vulnerabilities were discovered in Python:
David Remahl of Apple Product Security reported several integer overflows in
core modules such as stringobject, unicodeobject, bufferobject, longobject,
tupleobject, stropmodule, gcmodule, mmapmodule (CVE-2008-2315).
David Remahl of Apple Product Security also reported an integer overflow in
the hashlib module, leading to unreliable cryptographic digest results (CVE2008-2316).
Justin Ferguson reported multiple buffer overflows in unicode string
processing that only affect 32bit systems (CVE-2008-3142).
The Google Security Team reported multiple integer overflows (CVE-20083143).
Justin Ferguson reported multiple integer underflows and overflows in the
PyOS_vsnprintf() function, and an off-by-one error when passing zero-length
strings, leading to memory corruption (CVE-2008-3144).
d. MoPB showed that the PHP development group made a ton of silent fixes
to the language runtime without publicly disclosing and also chose not to
fix five vulnerabilities by rewriting the PHP architecture because it would
have broken all backwards compatibility with 3rd party binary modules for
PHP (Zend et. al.).
http://www.communities.hp.com/securitysoftware/blogs/jeff/archive/2007/05/
08/MOPB-Followup_3A00_-PHP-releases-fixed-versions.aspx
http://www.communities.hp.com/securitysoftware/blogs/jeff/archive/2007/04/
03/The-current-state-of-PHP-security-_2800_w_2F00_-MOPB-fullreview_2900_.aspx
e. What about SQL?
In an article by Raheel Ahmad he states there are four things you can do in a
SQL injection vulnerability scenario:
1. SQL Manipulation: manipulation is process of modifying the SQL
statements by using various operations such as UNION .Another way for
implementing SQL Injection using SQL Manipulation method is by changing
the where clause of the SQL statement to get different results.
2. Code Injection: Code injection is process of inserting new SQL statements
or database commands into the vulnerable SQL statement. One of the code
injection attacks is to append a SQL Server EXECUTE command to the
vulnerable SQL statement. This type of attack is only possible when multiple
SQL statements per database request are supported.
3. Function Call Injection: Function call injection is process of inserting
various database function calls into a vulnerable SQL statement. These
function calls could be making operating system calls or manipulate data in
the database.
4. Buffer Overflows: Buffer overflow is caused by using function call
injection. For most of the commercial and open source databases, patches are
available. This type of attack is possible when the server is un-patched
http://ezinearticles.com/?Hardening-Your-Web-Application-Against-SQLInjections&id=1301170
f. We have new second order attack techniques for getting cod execution!
i. http://www.microsoft.com/technet/security/bulletin/ms04014.mspx
ii. At the Semantic level…SQL Parser bugs SELECT * FROM
breaki%nStuff WHERE foo=’bar’
iii. At the Syntax level….SELECT [[[[[[[[[[[[[FOO] FROM
WHATEVER
iv. At the function, extended procedure, or native procedure level….
“Access through Access” by Brett Moore
v. At the database kernel level i.e. problems with primitive type
problems, etc….
https://qspace.library.queensu.ca/bitstream/1974/1359/1/Shahriar_Hossain
_200808_MSc.pdf
5. Talking about javascript, sql, and mentioning VBScript.
Firefox ships with v3.5.4.1 of SQLite
SQLite v3.4.0 a major security cleanup to remove all sprintf() and strcpy() calls in the
code base.
There are 50 native functions in SQLite….
WebKit ships with it’s own implementation of a lightweight SQL engine.
WebKit ships with a fork of PRCE code. The code was stripped of non-supported
RegEx syntax and no upstream patches have been released since November 2007.
Stack overflows are still being found in the new fork:
https://bugs.webkit.org/show_bug.cgi?id=12611
Client-side interpreted language bugs:
http://packetstormsecurity.org/papers/general/html5whitepaper.pdf
javascript threading issues
html 5
6. We should cover the future of where interpreted language vulnerabilities might
take us. IMHO this means
http://en.wikipedia.org/wiki/Interpreted_language
DEMONSTRATIONS
Ideally, the perfect demonstration would be a completely secure web application that
does not look like it's doing anything in an insecure manner and is still vulnerable to
attack.
CALLING YOU OUT - AREAS OF RESEARCH
1) SQL fuzzers for everything! Oracle has a mutation fuzzer internally.
2) Javascript fuzzers for everything! HD Moore, Zalewski Et. Al. have done fuzzing
of javascript DOM functions, Jesse Ruderman(Mozilla) has released jsfuzzfun.
3) Analysis of the Architecture interpreted language runtimes which one has a more
secure architecture for primitive types?
var db = openDatabase("notes", "", "The Example Notes App!", 1048576);
function renderNotes() {
db.transaction(function(tx) {
tx.executeSql('CREATE TABLE IF NOT EXISTS Notes(title TEXT, body TEXT)',
[]);
tx.executeSql(‘SELECT * FROM Notes’, [], function(tx, rs) {
for(var i = 0; i < rs.rows.length; i++) {
renderNote(rs.rows[i]);
}
});
});
}
function insertNote(title, text) {
db.transaction(function(tx) {
tx.executeSql('INSERT INTO Notes VALUES(?, ?)', [ title, text ],
function(tx, rs) {
// …
},
function(tx, error) {
reportError('sql', error.message);
});
});
}
280 bugs, 24 of which were exploitable.
MoPB
1) Internal VM kernel
2) Internal VM kernel
3) Internal VM kernel
4) Default Available Native function
5) Default Available Native function
8) Default Available Native function
9) Default Available Native function
10) Internal VM kernel
11) Internal VM kernel
13) Extention lib function
14) Default Available Native function
15) Default Available Native function
16) Internal VM kernel
17) Extention lib function
18) Default Available Native function
19) Extention lib function
20) Internal VM kernel
21) Internal VM kernel
22) Default Available Native function
23) Internal VM kernel
24) Default Available Native function
25) Default Available Native function
26) Default Available Native function
27) Extention lib function
28) Default Available Native function
29) Default Available Native function
30) Internal VM kernel
31) Internal VM kernel
32) Internal VM kernel
33) Default Available Native function
34) Default Available Native function
35) Default Available Native function
36) Internal VM kernel
37) Default Available Native function
38) Default Available Native function
39) Default Available Native function
40) Default Available Native function
41) Default Available Native function
42) Default Available Native function
43) Internal VM kernel
44) Internal VM kernel
Related documents
CDT Core Decision Technolgies Inc
CDT Core Decision Technolgies Inc
Automated Security Testing with Formal Threat Models
Automated Security Testing with Formal Threat Models
To change the primary key using Table Designer (the semantic
To change the primary key using Table Designer (the semantic
ABERDEENSHIRE, MORAY, ANGUS, HIGHLANDS, ORKNEY,
ABERDEENSHIRE, MORAY, ANGUS, HIGHLANDS, ORKNEY,
Database Performance
Database Performance
01 Introduction to Databases
01 Introduction to Databases
DBT Exams DBT SQL Admin
DBT Exams DBT SQL Admin
Job Title: Application Developer Department Name: Development
Job Title: Application Developer Department Name: Development
here
here
Abstract
Abstract
Download
advertisement