| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 May 2012 12:06:38 +0200
From: Maksymilian Arciemowicz <cxib@...ecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: cIFrex: How to use Regular Expressions in Research
cIFrex is a small script written in PHP, which supports search for bugs
in the analysis of the source code. Using the database of filters based
on regular expressions, you can quickly locating the code, in which the
probability of failure is high. You will just need to have the source
code on a computer with the access to cIFrex in order to be able to
fully benefit from the possibilities of the new methodology.
Since 2010, cIFrex has been used in my private research. Creating new
filters, I have discovered a lot of bugs like Resource Exhaustion in
libc, apache or vsftpd. The problem with recursion was very easy to
locate. In vsftpd and libc, the PoC contained '*' char.
-fnmatch()/fnmatch.c--
/* Collapse multiple stars. */
while (c == '*')
-fnmatch()/fnmatch.c--
and
-vsf_filename_passes_filter()/ls.c--
/* Any incoming string left means no match unless we ended on the correct
* type of wildcard.
*/
if (str_getlen(&name_remain_str) > 0 && last_token != '*')
-vsf_filename_passes_filter()/ls.c--
Many stars have been used in the demonstration of PoC for apache
and vsftpd. According to intuition, where is '*' char also is a recursion.
Recursion in fnmatch() and vsf_filename_passes_filter(), can be
described by:
V1: (?:int |char |^)(?<v1>\w+)\(.*
T1: (?:if|while).*<v1>\(
to see all files, where '*' was used, use T2 pattern
T2: .*\'\*\'.*
in result, we retrieve a list of probably vulnerable files. But you
need more luck and good intuition.
Remember that cIFrex:
- only helps to search for the bugs
- the search results does not guarantee the appearance of the
susceptibilities
- the more exact the regular expression, the larger probability of the
appearance of the susceptibilities
cIFrex may be used to catch bugs not only in C language. Using filter like:
V1: (.*echo.*\$_(?:POST|GET)\[(?:\'|\")(?<v1>\w+)(?:\'|\")\].*)
F1: htmlspecialchars.*<v1>
F2: \(int\)\$_(?:POST|GET)\[.<v1>.\]
we may catch a lot of Cross Site Scripting (CWE-79) vulnerabilities. Or
SQL Injection (CWE-89) using:
V1: \$(?<v1>\w+) \=.*\$_(?:GET|POST)\[(?<v2>.*)\]
T1: mysql_query\(.*\$<v1>
F1: addslashes.*\$<v1>
List of filters
cIFrex filters are based on regular expressions, describing given kind
of mistake together with the CWE identifiers
http://cxsecurity.com/cifrex/filters/
Download
http://cxsecurity.com/cifrex/#download
Download the latest stable version of the code:
http://cxsecurity.com/cifrex_download/1.1/run.txt
CWE Dictionary
http://cxsecurity.com/allcwe/
CVE Full Map
http://cxsecurity.com/cvemap/
More about project
http://cxsecurity.com/cifrex/
http://cxsecurity.com/
--
Best Regards
Maksymilian Arciemowicz (CXSecurity.com)
pub 4096R/D6E5B530 2010-09-19
uid Maksymilian Arciemowicz (cx) <max@...b.net>
sub 4096R/58BA663C 2010-09-19
Download attachment "0xD6E5B530.asc" of type "application/pgp-keys" (3086 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists