Google code search: A vulnerability hunters dream October 7, 2006Posted by Imran Ghory in Computer Security, Google, Software development.
1 comment so far
Google code search: A vulnerability hunters dream? – well maybe not, but if a hacker wants to compromise random machines rather then particular targets then Google’s making finding new exploits ever easier.
Google’s latest search tool has made it incredibly easy to take one particular vulnerability which has a fairly recognizable signature and search vasts amounts of code for it. And to prove it here are some examples:
(Some of these are derivative of various suggestions posted on reddit)
For starters lets have a look for programs that run setuid/setgid and copy strings from environment variables without even verifying the lengths (hence providing an easy buffer overflow exploit):
In a similar vain code that takes an environment variable passed to it by a web-browser before sticking it in an SQL query (thus allowing SQL query injection attacks):
How about code which uses the unsafe chmod command ( chmod is bad due to non-atomicity, code normally checks the file has some properties first before chmoding it – however due to the fact that the checking is a separate operation from the chmoding a hacker could replace the file with a symlink after the check but before the file has been chmod – hence allowing them to change the permissions on arbitrary files) :
Or a similar race condition which can be used to create havoc, this time the mktemp() function – which creates a temporary file with a predictable name (so what happens if someone else gets there first with a symlink….).
I think the scariest so far is the number of mid-to-large size projects which show up for this following search (where an input is read from a file into a fixed size buffer without a limit being put on the amount of data being read in):
And somewhat more lightheartedly a look at all the programmers that are hard-core traditionalists when it comes to crypto:
So there you have it – vulnerabilities galore and just from a few minutes work.