5 języków programowania z ukrytymi wadami pozwalającymi na atak hakerów

[ichito]

Jak wiemy błędy i podatności w aplikacjach, to skutek niedoskonałości w ich kodzie, a skutki tego doświadczamy wielokrotnie na własnej skórze walcząc ze szkodnikami. Tym razem mowa jednak będzie o błędach w samych językach programowania, o czym powiadomiono na ostatniej konferencji Black Hat Europe 2017, która się zakończyła kilka dni temu.
Praca pt. "Exposing Hidden Exploitable  Behaviors in Programming  Languages  U sing Differential Fuzzing" wskazuje na bardzo poważne znalezione podatności we wszystkich przeanalizowanych językach -JavaScript, Perl, PHP, Python i Ruby.
Opis poatności poniżej

1. Python
Currently enjoying a surge in usage, Python is regularly used by web and desktop developers, sysadmin/devops, and more recently by data scientists and machine-learning engineers.

The IOActive paper found that Python contains undocumented methods and local environment variables that can be used to execute operating-system commands.

Both Python's mimetools and pydoc libraries have undocumented methods that can be exploited in this way, which IOActive used to run Linux's id command.

2. Perl
Popular for web server scripting, sysadmin jobs, network programming and automating various tasks, Perl has been in use since the late 1980s.

IOActive highlights the fact that Perl contains a function that will attempt to execute one of the arguments passed to it as Perl code. It describes the practice as a "hidden feature" within a default Perl function for handling typemaps.

3. NodeJS
NodeJS provides a server-side environment for executing JavaScript, the language commonly used for scripting in web browsers.

IOActive found that NodeJS' built-in error messages for its require function could be exploited to determine whether a file name existed on the machine and to leak the first line of files on a system—potentially useful information for an attacker.

4. JRuby
The Java implementation of the Ruby programming language was found to allow remote code execution in a way that isn't possible in Ruby as a base language.

By calling executable Ruby code using a specific function in JRuby, IOActive was able to get the function to execute an operating system command, the Linux command id, by loading a file on a remote server.

5. PHP
The venerable server scripting language was used to call an operating system command, again the Linux command id, using the shell_exec() function and by exploiting the way PHP handles the names of constants.

"Depending on how the PHP application has been developed, this may lead to remote command execution," say researchers.

That said, many web admins have long known the potential risk posed by PHP's shell_exec() function, and how to disable it.

Źródło

[Aby zobaczyć linki, zarejestruj się tutaj]

Oryginalny artykuł z dokładnymi informacjami

[Aby zobaczyć linki, zarejestruj się tutaj]