Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing

Presented at Black Hat Europe 2017, Dec. 6, 2017, 5 p.m. (30 minutes).

Securely developed applications may have unidentified vulnerabilities in the underlying programming languages. Attackers can target these programming language flaws to alter applications' behavior. This means applications are only as secure as the programming languages parsing the code.

A differential fuzzing framework was created to detect dangerous and unusual behaviors in similar software implementations. Multiple implementations of the top five interpreted programming languages were tested: JavaScript, Perl, PHP, Python, and Ruby. After fuzzing the default libraries and built-in functions, several dangerous behaviors were automatically identified.

This paper reveals the most serious vulnerabilities found in each language. It includes practical examples identifying which undocumented functions could allow OS command execution, when sensitive file contents may be partially exposed in error messages, how native code is being unexpectedly interpreted – locally and remotely – and when constant's names could be used as regular strings for OS command execution.

The vulnerabilities, methodology, and fuzzer will be made open source, and the accompanying talk will include live demonstrations.


Presenters:

  • Fernando Arnaboldi - Senior Security Consultant, IOActive
    Fernando Arnaboldi is a senior security consultant at IOActive specializing in penetration testing and code reviews on multiple platforms. He is experienced in a variety of programming languages and has presented in the past in security conferences such as Black Hat USA, DEF CON and OWASP AppSec USA.

Links:

Similar Presentations: