Hacking

Severe flaws in most popular programming languages could expose to hack any secure application built on top of them

Security expert discovered severe flaws in most popular programming languages that could expose to hack any secure application built on top of them.

Last week, IOActive Senior Security Consultant Fernando Arnaboldi presented at the Black Hat Europe 2017 security conference the results of an interesting research about vulnerabilities in several popular interpreted programming languages.

Arnaboldi analyzed the most popular programming languages (JavaScript, Perl, PHP, Python, and Ruby) using the fuzzing software testing technique.

The idea behind this excellent study is that securely developed applications may be affected by unidentified vulnerabilities in the underlying programming languages that could be triggered by attackers.

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer application. The experts then monitor for exceptions such as crashes or failing built-in code assertions or for finding potential memory leaks.

Using this technique, Google experts discovered many flaws in popular software OpenSSL and Linux components.

Below the list of Programming languages tested by the researcher with the fuzzing technique.

Arnaboldi developed a custom “differential fuzzer” XDiFF (Extended Differential Fuzzing Framework) that was specifically designed to test structure of programming languages.

The expert released XDiFF as an open source project on GitHub.

The experts identified most basic functions the programming languages and tested them with the XDiFF fuzzer.

“Before execution, the fuzzer generates all possible test cases by performing a
permutation between functions and payloads. The test cases combined one function of
the programming language at the time with different payloads” reads the research paper titled “Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing.”

“Finding interesting vulnerabilities is entirely dependent on choosing the correct input,” Arnaboldi explained. “For this testing, less than 30 primitive values were used (i.e. a number, a letter, etc.) combined with special payloads. These special payloads were defined so as to help identify when the software attempted to access external resources.”

Before execution, the fuzzer generates all possible test cases by performing a
permutation between functions and payload that were tuned to expose vulnerabilities in the programming languages.

“The test cases combined one function of the programming language at the time with different payloads.” continues the paper.

Arnaboldi exposed severe vulnerabilities in all the programming languages he analyzed with his fuzzer, he discovered the following issues:

  • Python contains undocumented methods and local environment variables that can
    be used for OS command execution.
  • Perl contains a typemaps function that can execute code like eval().
  • NodeJS outputs error messages that can disclose partial file contents.
  • JRuby loads and executes remote code on a function not designed for remote
    code execution.
  • PHP constant’s names can be used to perform remote command execution.

“Assuming no malicious intentions, these vulnerabilities may be the result of mistakes or attempts to simplify software development. The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters,” says Arnaboldi.

According to Arnaboldi, an attacker can exploit these flaws to hack even the most secure applications built on top of these programming languages.

“Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee,” concludes the expert. “Some of these behaviors pose a security risk to applications that were securely developed according to guidelines.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Programming Languages, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

11 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

15 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

21 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

24 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.