Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.
Fuzzing is an operation that involves providing invalid, unexpected, or random data as input to a software application. Fuzzing has been used for years in the software testing field but has recently become very popular with security researchers, especially with Google’s security team and the Linux community.
The reason is that fuzzing can identify crashes, hangs, or memory corruption issues. Usually, some of these problems aren’t just because the app’s code needs optimization, but they also hide security-related issues.
Custom fuzzer finds flaws in all five programming languages
For his research, Arnaboldi built his own “differential fuzzer” named XDiFF (Extended Differential Fuzzing Framework) that was specifically adapted to target the structure and modus operandi of programming languages.
The researcher dissected each programming language down to its most basic functions and then used XDiFF to feed various types of input (called payloads) to each one.
“Finding interesting vulnerabilities is entirely dependent on choosing the correct input,” Arnaboldi says. “For this testing, less than 30 primitive values were used (i.e. a number, a letter, etc.) combined with special payloads. These special payloads were defined so as to help identify when the software attempted to access
The special payloads the researcher created were fine-tuned to expose the content of local files, detect unauthorized code execution, and find unauhtorized OS code execution.
His diligent work exposed severe vulnerabilities in all the programming languages he tested.
➣ Python contains undocumented methods and local environment variables that can be used for OS command execution.
➣ Perl contains a typemaps function that can execute code like eval().
➣ NodeJS outputs error messages that can disclose partial file contents.
➣ JRuby loads and executes remote code on a function not designed for remote code execution.
➣ PHP constant’s names can be used to perform remote command execution.
Vulnerabilities could trickle down to even the most secure apps
Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.
“Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee,” the expert says. “Some of these behaviors pose a security risk to applications that were securely developed according to guidelines.”
“Assuming no malicious intentions, these vulnerabilities may be the result of mistakes or attempts to simplify software development. The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters,” Arnaboldi added.
The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi’s research paper named “Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing.”