Security expert discovered severe flaws in most popular programming languages that could expose to hack any secure application built on top of them.
Last week, IOActive Senior Security Consultant Fernando Arnaboldi presented at the Black Hat Europe 2017 security conference the results of an interesting research about vulnerabilities in several popular interpreted programming languages.
The idea behind this excellent study is that securely developed applications may be affected by unidentified vulnerabilities in the underlying programming languages that could be triggered by attackers.
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer application. The experts then monitor for exceptions such as crashes or failing built-in code assertions or for finding potential memory leaks.
Below the list of Programming languages tested by the researcher with the fuzzing technique.
Arnaboldi developed a custom “differential fuzzer” XDiFF (Extended Differential Fuzzing Framework) that was specifically designed to test structure of programming languages.
The expert released XDiFF as an open source project on GitHub.
The experts identified most basic functions the programming languages and tested them with the XDiFF fuzzer.
“Before execution, the fuzzer generates all possible test cases by performing a
permutation between functions and payloads. The test cases combined one function of
the programming language at the time with different payloads” reads the research paper titled “Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing.”
“Finding interesting vulnerabilities is entirely dependent on choosing the correct input,” Arnaboldi explained. “For this testing, less than 30 primitive values were used (i.e. a number, a letter, etc.) combined with special payloads. These special payloads were defined so as to help identify when the software attempted to access external resources.”
Before execution, the fuzzer generates all possible test cases by performing a
permutation between functions and payload that were tuned to expose vulnerabilities in the programming languages.
“The test cases combined one function of the programming language at the time with different payloads.” continues the paper.
Arnaboldi exposed severe vulnerabilities in all the programming languages he analyzed with his fuzzer, he discovered the following issues:
- Python contains undocumented methods and local environment variables that can
be used for OS command execution.
- Perl contains a typemaps function that can execute code like eval().
- NodeJS outputs error messages that can disclose partial file contents.
- JRuby loads and executes remote code on a function not designed for remote
- PHP constant’s names can be used to perform remote command execution.
“Assuming no malicious intentions, these vulnerabilities may be the result of mistakes or attempts to simplify software development. The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters,” says Arnaboldi.
According to Arnaboldi, an attacker can exploit these flaws to hack even the most secure applications built on top of these programming languages.
“Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee,” concludes the expert. “Some of these behaviors pose a security risk to applications that were securely developed according to guidelines.”
(Security Affairs – Programming Languages, hacking)