lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4F9FB5AE.6020900@cxsecurity.com>
Date: Tue, 01 May 2012 12:06:38 +0200
From: Maksymilian Arciemowicz <cxib@...ecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: cIFrex: How to use Regular Expressions in Research

cIFrex is a small script written in PHP, which supports search for bugs
in the analysis of the source code. Using the database of filters based
on regular expressions, you can quickly locating the code, in which the
probability of failure is high. You will just need to have the source
code on a computer with the access to cIFrex in order to be able to
fully benefit from the possibilities of the new methodology.

Since 2010, cIFrex has been used in my private research. Creating new
filters, I have discovered a lot of bugs like Resource Exhaustion in
libc, apache or vsftpd. The problem with recursion was very easy to
locate. In vsftpd and libc, the PoC contained '*' char.

-fnmatch()/fnmatch.c--
/* Collapse multiple stars. */
while (c == '*')
-fnmatch()/fnmatch.c--

and

-vsf_filename_passes_filter()/ls.c--
  /* Any incoming string left means no match unless we ended on the correct
   * type of wildcard.
   */
  if (str_getlen(&name_remain_str) > 0 && last_token != '*')
-vsf_filename_passes_filter()/ls.c--

Many stars have been used in the demonstration of PoC for apache
and vsftpd. According to intuition, where is '*' char also is a recursion.

Recursion in fnmatch() and vsf_filename_passes_filter(), can be
described by:

V1: (?:int |char |^)(?<v1>\w+)\(.*
T1: (?:if|while).*<v1>\(

to see all files, where '*' was used, use T2 pattern

T2: .*\'\*\'.*

in result, we retrieve a list of probably vulnerable files.  But you
need more luck and good intuition.


Remember that cIFrex:
- only helps to search for the bugs
- the search results does not guarantee the appearance of the
susceptibilities
- the more exact the regular expression, the larger probability of the
appearance of the susceptibilities


cIFrex may be used to catch bugs not only in C language. Using filter like:

V1: (.*echo.*\$_(?:POST|GET)\[(?:\'|\")(?<v1>\w+)(?:\'|\")\].*)
F1: htmlspecialchars.*<v1>
F2: \(int\)\$_(?:POST|GET)\[.<v1>.\]

we may catch a lot of Cross Site Scripting (CWE-79) vulnerabilities. Or
SQL Injection (CWE-89) using:

V1: \$(?<v1>\w+) \=.*\$_(?:GET|POST)\[(?<v2>.*)\]
T1: mysql_query\(.*\$<v1>
F1: addslashes.*\$<v1>


List of filters
cIFrex filters are based on regular expressions, describing given kind
of mistake together with the CWE identifiers
http://cxsecurity.com/cifrex/filters/


Download
http://cxsecurity.com/cifrex/#download

Download the latest stable version of the code:
http://cxsecurity.com/cifrex_download/1.1/run.txt


CWE Dictionary
http://cxsecurity.com/allcwe/


CVE Full Map
http://cxsecurity.com/cvemap/


More about project
http://cxsecurity.com/cifrex/
http://cxsecurity.com/

-- 
Best Regards
Maksymilian Arciemowicz (CXSecurity.com)
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max@...b.net>
sub   4096R/58BA663C 2010-09-19

Download attachment "0xD6E5B530.asc" of type "application/pgp-keys" (3086 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ