Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

cIFrex: How to use Regular Expressions in Research

From: Maksymilian Arciemowicz <cxib () cxsecurity com>
Date: Tue, 01 May 2012 12:06:38 +0200
cIFrex is a small script written in PHP, which supports search for bugs
in the analysis of the source code. Using the database of filters based
on regular expressions, you can quickly locating the code, in which the
probability of failure is high. You will just need to have the source
code on a computer with the access to cIFrex in order to be able to
fully benefit from the possibilities of the new methodology.

Since 2010, cIFrex has been used in my private research. Creating new
filters, I have discovered a lot of bugs like Resource Exhaustion in
libc, apache or vsftpd. The problem with recursion was very easy to
locate. In vsftpd and libc, the PoC contained '*' char.

-fnmatch()/fnmatch.c--
/* Collapse multiple stars. */
while (c == '*')
-fnmatch()/fnmatch.c--

and

-vsf_filename_passes_filter()/ls.c--
  /* Any incoming string left means no match unless we ended on the correct
   * type of wildcard.
   */
  if (str_getlen(&name_remain_str) > 0 && last_token != '*')
-vsf_filename_passes_filter()/ls.c--

Many stars have been used in the demonstration of PoC for apache
and vsftpd. According to intuition, where is '*' char also is a recursion.

Recursion in fnmatch() and vsf_filename_passes_filter(), can be
described by:

V1: (?:int |char |^)(?<v1>\w+)\(.*
T1: (?:if|while).*<v1>\(

to see all files, where '*' was used, use T2 pattern

T2: .*\'\*\'.*

in result, we retrieve a list of probably vulnerable files.  But you
need more luck and good intuition.


Remember that cIFrex:
- only helps to search for the bugs
- the search results does not guarantee the appearance of the
susceptibilities
- the more exact the regular expression, the larger probability of the
appearance of the susceptibilities


cIFrex may be used to catch bugs not only in C language. Using filter like:

V1: (.*echo.*\$_(?:POST|GET)\[(?:\'|\")(?<v1>\w+)(?:\'|\")\].*)
F1: htmlspecialchars.*<v1>
F2: \(int\)\$_(?:POST|GET)\[.<v1>.\]

we may catch a lot of Cross Site Scripting (CWE-79) vulnerabilities. Or
SQL Injection (CWE-89) using:

V1: \$(?<v1>\w+) \=.*\$_(?:GET|POST)\[(?<v2>.*)\]
T1: mysql_query\(.*\$<v1>
F1: addslashes.*\$<v1>


List of filters
cIFrex filters are based on regular expressions, describing given kind
of mistake together with the CWE identifiers
http://cxsecurity.com/cifrex/filters/


Download
http://cxsecurity.com/cifrex/#download

Download the latest stable version of the code:
http://cxsecurity.com/cifrex_download/1.1/run.txt


CWE Dictionary
http://cxsecurity.com/allcwe/


CVE Full Map
http://cxsecurity.com/cvemap/


More about project
http://cxsecurity.com/cifrex/
http://cxsecurity.com/

-- 
Best Regards
Maksymilian Arciemowicz (CXSecurity.com)
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max () cxib net>
sub   4096R/58BA663C 2010-09-19

Attachment: 0xD6E5B530.asc
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: