cIFrex is a small script written in PHP, which supports search for bugs in the analysis of the source code. Using the database of filters based on regular expressions, you can quickly locating the code, in which the probability of failure is high. You will just need to have the source code on a computer with the access to cIFrex in order to be able to fully benefit from the possibilities of the new methodology. Since 2010, cIFrex has been used in my private research. Creating new filters, I have discovered a lot of bugs like Resource Exhaustion in libc, apache or vsftpd. The problem with recursion was very easy to locate. In vsftpd and libc, the PoC contained '*' char. -fnmatch()/fnmatch.c-- /* Collapse multiple stars. */ while (c == '*') -fnmatch()/fnmatch.c-- and -vsf_filename_passes_filter()/ls.c-- /* Any incoming string left means no match unless we ended on the correct * type of wildcard. */ if (str_getlen(&name_remain_str) > 0 && last_token != '*') -vsf_filename_passes_filter()/ls.c-- Many stars have been used in the demonstration of PoC for apache and vsftpd. According to intuition, where is '*' char also is a recursion. Recursion in fnmatch() and vsf_filename_passes_filter(), can be described by: V1: (?:int |char |^)(?<v1>\w+)\(.* T1: (?:if|while).*<v1>\( to see all files, where '*' was used, use T2 pattern T2: .*\'\*\'.* in result, we retrieve a list of probably vulnerable files. But you need more luck and good intuition. Remember that cIFrex: - only helps to search for the bugs - the search results does not guarantee the appearance of the susceptibilities - the more exact the regular expression, the larger probability of the appearance of the susceptibilities cIFrex may be used to catch bugs not only in C language. Using filter like: V1: (.*echo.*\$_(?:POST|GET)\[(?:\'|\")(?<v1>\w+)(?:\'|\")\].*) F1: htmlspecialchars.*<v1> F2: \(int\)\$_(?:POST|GET)\[.<v1>.\] we may catch a lot of Cross Site Scripting (CWE-79) vulnerabilities. Or SQL Injection (CWE-89) using: V1: \$(?<v1>\w+) \=.*\$_(?:GET|POST)\[(?<v2>.*)\] T1: mysql_query\(.*\$<v1> F1: addslashes.*\$<v1> List of filters cIFrex filters are based on regular expressions, describing given kind of mistake together with the CWE identifiers http://cxsecurity.com/cifrex/filters/ Download http://cxsecurity.com/cifrex/#download Download the latest stable version of the code: http://cxsecurity.com/cifrex_download/1.1/run.txt CWE Dictionary http://cxsecurity.com/allcwe/ CVE Full Map http://cxsecurity.com/cvemap/ More about project http://cxsecurity.com/cifrex/ http://cxsecurity.com/ -- Best Regards Maksymilian Arciemowicz (CXSecurity.com) pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) <max@xxxxxxxx> sub 4096R/58BA663C 2010-09-19
Attachment:
0xD6E5B530.asc
Description: application/pgp-keys
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/