Securely-developed apps may be at risk due to security issues in popular interpreted programming languages.
Even software that has been built with secure development procedures may still be vulnerable to attack, due to flaws in the interpreted programming languages they depend on.
IOActive researcher Fernando Arnaboldi revealed at last week’s Black Hat Europe conference that serious flaws in interpreters for five popular programming languages put applications parsed by them at risk.
Arnaboldi found, for example, that Python has “undocumented methods and local environment variables that can be used for OS command execution”.
NodeJS, a JavaScript interpreter, meanwhile could leak file contents through error messages it outputs, while JRuby, the Java implementation of Ruby, “loads and executes remote code on a function not designed for remote code execution”.
For Perl, Arnaboldi cites the ability of its typemaps function, included in its default set of modules, to execute code. While in PHP, certain native functions can be passed a constant’s name to perform a remote command execution.
He believes these vulnerabilities may have been caused by attempts to simplify software development.
“The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters,” he noted.
“With regards to the interpreted programming languages vulnerabilities, software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee. Some of these behaviors pose a security risk to applications that were securely developed according to guidelines,” wrote Arnaboldi.
The researcher discovered the flaws using the XDiFF, a ‘differential fuzzer’ he created and targeted at several interpreters for different languages.
For JavaScript, targets included Google’s v8 JavaScript engine, and Microsoft’s ChakraCore equivalent, Mozilla’s SpiderMonkey, and NodeJS, and Node-ChakraCore.
In PHP, he fuzzed PHP and HHVM, while for Ruby the targets included Ruby and JRuby. He also fuzzed Perl, ActivePerl, CPython, PyPy, and Jython.
As he’s previously pointed out, the research shows that applications can suffer from security issues when using certain features from programming languages.
“There are a number of possibilities to be abused in different implementations that could affect secure applications. There are unexpected scenarios for the interpreted programming languages parsing the code in JavaScript, Perl, PHP, Python and Ruby,” Arnaboldi wrote.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.