Deadly Programming Language Vulnerabilities

Deadly Programming Language Vulnerabilities

  • Home
  • Blog
  • Deadly Programming Language Vulnerabilities

Deadly Programming Language Vulnerabilities

zemarkhos-blog-deadly-programming-language-vulnerabilities

In this article, we will discuss the functions frequently used in programming languages and their vulnerabilities. In addition, we will include how we can modify our codes to prevent these vulnerabilities from occurring.

Python

First, we'll look at some of the functions in Python. Here input, we'll consider str.format, eval, and its executions. The deficits that we encounter in Python can usually be examined under the title "Code Execution." Examples written for vulnerabilities mentioned in the input are written using Python 3, except for the function. InputPython 2 is used for this function.

input()

We use this function to get data from the user. You can see the example below.

res = input("Guess the number: ")
The input function, which is the same in Python 2 and 3, converts the data received in Python 2 to string in Python 3 directly. We can illustrate its use in Python 2 as follows.

import random
secret_number = random.randint(1,500)
print "Pick a number between 1 to 500"
while True:
    res = input("Guess the number: ")
    if res==secret_number:
        print "You win"
        break
    else:
        print "You lose"
        continue
When the above code is executed, an input is waiting for you. You can see that when secret_numberit is written instead of the desired input, it prints the "You win"text on the screen . This shows us that its inputfunction can execute code. Do we have a chance to close this gap? The main reason that this deficit did not occur in Python 3 was that it converted a string over the value that the input function takes. The first solution that came to my mind at this point was as follows.

int(input("Guess the number: "))
However, with this statement, you can see that the same gap continues when the code is run. The raw_inputfunction can be used in Python 2 to close this gap .

raw_input("Guess the number: ")
In Python 3, this open in the input function is closed and its raw_inputfunction is disabled.

str.format ()
This function is used to format string expressions.

text = "hello {name}"
print(text.format(name = "word"))
The output of the above example is as follows.

hello word
However, in this function, we also "Code Execution"encounter a deficit. When we "word"replace it in the code example above locals(), we will get an output like the one below.

hello {'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x0000025F5EF04550>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '.\\strformat.py', '__cached__': None, 'secret': 'IAMPASSWORD', 'text': 'hello {name}'}
In order to avoid this gap, format string it should not be used in places where data is received from the user .

eval()
This function ensures that an expression given as a string is executable.

eval("print('hello')")
It is generally used in applications to perform mathematical operations. The fact that this function is code executable does not indicate that it contains a vulnerability. What is important at this point is how it is used in the application. For example, if we use it in a place where we receive input from the user, we will create a security vulnerability.

eval(input("Write mathematical expression"))
If evalthe ast.literal_evalfunction is used instead , the process is performed by checking whether there are python data structures for the expressions given as input.

exec()
This function evalallows us to execute code as in the function. Using the same methods, the vulnerability in practice can be exploited. So what's the difference between these two functions? First, the evalfunction runs single expression . However, the execfunction can run a block of code. You can see an example below.

prog = 'a=5\nb=10\nprint(a+b)'
exec(prog)
Another difference is the evalresult of the expression it runs as the return value, execif it always nonereturns, execit is not important for the return value .

C
Secondly, we will examine the functions in C. Here gets, we will discuss the strcpy, strcatand printffunctions. As can be seen below, the deficits in these functions in C language are related to buffer overflow .

gets()
This function is used to receive input from the user.

int main(){
   char name[10];
   gets(name);
}
As in the example, we gets()cannot make any limitations on the size of the data received using the function. Not limiting the data can cause overflow. To prevent this, the same functioning fgets()method can be used.

int main(){
  char name[10];
  fgets(name, 10, stdin);
}
As can be seen in the example, it can fgets()take length information as a parameter, so dynamically, space can be reserved for the buffer or length information can be entered according to the allocated location. In this way, the buffer overflow attack can be prevented.

strcpy()
This function helps us copy one string expression into another string expression. However gets(), as the function does not limit the size of the source and destination string values, buffer overflow gap may occur.

int main(){
   char name[10];
   strcpy(name, "hello");
}
strcpy()If the function strlcpy()is used instead of the function, the size of the string expression to be copied is limited, as in the example below.

int main(){
   char name[10];
   strlcpy(name, "hello", 10);
}
strcat()
This function is used to combine two string expressions.

int main(){
   char first[10] = "hello ";
   char second[10] = "word";
   strcat(first, second);
   printf("%s", first);
}
The output of the above code is as follows.

hello word
strcpy()If the length of the source variable is not limited as in the function, there is a possibility of exceeding the length of the destination variable where the concatenated expressions will be omitted. This means that buffer overflow attacks can be made.

printf()
This function is used to write on the screen.

int main(){
    char name[10];
    gets(name);
    printf(name);
}
In the example above, we can do it by entering the format parameters instead of the name information received from the user "Format String Attack"and we can pull the data stored in the stack. For example, "%s"we can see the string kept in the stack when we output it instead of the name when we output it.

printf("%s", name);
With the slight change in the example, we can secure the code written. The first step to be taken in order not to be a target of string format attack is to ensure that the number of variables corresponding to the parameters is equal in the format parameters and the functions that use these parameters. Data received from the user should not be used directly in these functions .

PHP
Finally Situated in PHP preg_replaceand assertwill consider functions.

preg_replace()
This function helps us make changes to a string expression.

<?php
   $text = 'The quick brown fox jumped over the lazy dog.';
   echo "ORIGINAL: ".$text."<br>";
   $reg[1] = '/brown/';
   $reg[0] = '/fox/';
   $news[0] = 'bear';
   $news[1] = 'black';
   ksort($reg);
   ksort($news);
   echo "RESULT: ".preg_replace($reg, $news, $text)."<br>";
?>
The output of the code given above is as follows.

ORIGINAL: The quick brown fox jumped over the lazy dog.
RESULT: The quick black bear jumped over the lazy dog.
As can be understood from the example, this function, which allows us to make changes on the expressions easily, can run regex expressions.

$another= $_GET["another"];
foreach($another as $which=>$with){
   echo "<br>RESULT: ".preg_replace($which, $with, $text)."<br>";
}


We can see the data we receive from the user in the address bar when we run it after adding the above lines to our example. When we edit this data as follows, its system('id')function is executed.

results

The output of the working code is as follows.

ORIGINAL: The quick brown fox jumped over the lazy dog.
RESULT: The quick black bear jumped over the lazy dog.
uid=1(daemon) gid=1(daemon) groups=1(daemon) SON HALİ: The quick black bear jumped over the lazy uid=1(daemon) gid=1(daemon) groups=1(daemon).
By changing the imodifier in the link, the edesired PHP function is enabled to work. When we use the preg_replace function as below, it system('id')cannot execute its function.

preg_replace ( '#' . preg_quot to ( $ what , '#' ). '#' , $ with what , $ text );
preg_quote'\'brings the function to special characters . The special characters include ". \ + * ? [ ^ ] $ ( ) { } = ! < > | : -".the aforementioned iand ethe modifier contained in PHP "pattern modifier" is on. Of these i, it eis used for letters, while evalit represents its function.

assert()
This function checks whether the expression given is true, if it is true, it moves to the next line, if it is false, it stops the program from running with an error message. assertThe assertions value in "Assertion" must be changed to $ 1 $ to run the function.

<?php
assert(print("HELLO"));
?>


As can be seen in the example above, it can run any expression inside. So we evalcan compare it to its function. We "Code Execution"can easily see the deficit in front of us . In order not to become dangerous for the application, the assertfunction can be disabled or the data received at a point where the user receives data can be checked.

<?php
assert($val = $_GET['val']);
?>


In the example above, assertwe can see that data is received from the user. system('id')This code is executed if the user enters as a data value . If the entered value appears again in another place, system('id')we see the result of the function we wrote in this field .