oss-fuzz/infra/experimental/sanitizers/ExecSan/README.md

# Shell Injection Detection with `ptrace`

We use `ptrace` to instrument system calls made by the target program to detect
if our `/tmp/tripwire` command in `vuln.dict` was injected into the shell of
the testing target program. This works by

- Checking if `execve` is called with `/tmp/tripwire`.
- TODO: Checking if we managed to invoke a shell (e.g. /bin/sh) and cause a
  syntax error.

## Quick test

### Cleanup
Note this will delete /tmp/tripwire if it exists.
```shell
make clean
```

### Run test
Note this will overwrite /tmp/tripwire if it exists.
```shell
make test
```

Look for one of the following lines:

> ===BUG DETECTED: Shell injection===

which indicates the detection of executing the planted `/tmp/tripwire`.


> ===BUG DETECTED: Shell corruption===

which indicates the detection of executing a syntactic erroneous command.


## PoC in Python with `pytorch-lightning`
With `execSan`, [`Artheris`](https://github.com/google/atheris) can detect a shell injection bug in [version v1.5.10 of `pytorch-lightning`](https://github.com/PyTorchLightning/pytorch-lightning/tree/1.5.0).
```shell
make pytorch-lightning-1.5.10
```

## PoC in JavaScript with `shell-quote`
With `execSan`, [`Jsfuzz`](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/jsfuzz) can detect a shell corrpution bug in [the latest version (v1.7.3) of `shell-quote`](https://github.com/substack/node-shell-quote) without any seed.
```shell
make node-shell-quote-v1.7.3
```
This is based on [a shell injection exploit report](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html) of [version v1.7.2 of `shell-quote`](https://github.com/substack/node-shell-quote/tree/v1.7.2).
`execSan` can also discover the same shell injection bug with a corpus file containing:
```
`:`/tmp/tripwire``:`
```


## TODOs
1. Find real examples of past shell injection vulnerabilities using this.
2. More specific patterns of error messages (to avoid false postives/negatives)
  * e.g. cache and concatenate the buffer of consecutive `write` syscalls
  * e.g. define the RegEx of patterns and pattern-match with buffers
An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00			# Shell Injection Detection with `ptrace`

execSan: Follow forks. (#7771) * execSan: Follow forks. - ptrace all child processes. - Look for execve() calls with /tmp/tripwire as the first argument. There's no need for it to actually run. - Convert to C++. * remove ununused tripwire code * comments 2022-05-30 00:31:12 +00:00			We use `ptrace` to instrument system calls made by the target program to detect
			if our `/tmp/tripwire` command in `vuln.dict` was injected into the shell of
			`the testing target program. This works by`

			- Checking if `execve` is called with `/tmp/tripwire`.
			`- TODO: Checking if we managed to invoke a shell (e.g. /bin/sh) and cause a`
			`syntax error.`
An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00
			`## Quick test`

			`### Cleanup`
execSan: Follow forks. (#7771) * execSan: Follow forks. - ptrace all child processes. - Look for execve() calls with /tmp/tripwire as the first argument. There's no need for it to actually run. - Convert to C++. * remove ununused tripwire code * comments 2022-05-30 00:31:12 +00:00			`Note this will delete /tmp/tripwire if it exists.`
An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00			```shell
			`make clean`
			```

			`### Run test`
execSan: Follow forks. (#7771) * execSan: Follow forks. - ptrace all child processes. - Look for execve() calls with /tmp/tripwire as the first argument. There's no need for it to actually run. - Convert to C++. * remove ununused tripwire code * comments 2022-05-30 00:31:12 +00:00			`Note this will overwrite /tmp/tripwire if it exists.`
An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00			```shell
			`make test`
			```

Detect shell injection based on syntax errors (#7795) * Remove redundant tripwire from Makefile * Detect shell corruption based on syntax errors * Type, name, format, typo, etc. * Error pattern matching logic * clang-format * Code structure fix * Extend the pathname length of shell to be safe * Remove redundant operations on memory read from regs * More specific patterns * Identify sh * Remove redudant substr * Document shell corruption in README.md * Clang-format * Organise printf/debug_log/cerr * Remove a completed TODO * Use readlink instead of `file` * Clang-format 2022-06-06 04:14:01 +00:00			`Look for one of the following lines:`
An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00
			`> ===BUG DETECTED: Shell injection===`

Detect shell injection based on syntax errors (#7795) * Remove redundant tripwire from Makefile * Detect shell corruption based on syntax errors * Type, name, format, typo, etc. * Error pattern matching logic * clang-format * Code structure fix * Extend the pathname length of shell to be safe * Remove redundant operations on memory read from regs * More specific patterns * Identify sh * Remove redudant substr * Document shell corruption in README.md * Clang-format * Organise printf/debug_log/cerr * Remove a completed TODO * Use readlink instead of `file` * Clang-format 2022-06-06 04:14:01 +00:00			which indicates the detection of executing the planted `/tmp/tripwire`.


			`> ===BUG DETECTED: Shell corruption===`

			`which indicates the detection of executing a syntactic erroneous command.`
An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00

A PoC of `execSan` with `node-shell-quote` v1.7.3 (#7843) * A PoC with `node-shell-quote` v1.7.3. * A description of the shell injection bug in the prev version of shell-quote and how to reproduce it with `execSan`. * Amend the instructions to run `execSan` on `node-shell-quote` and `pytorch-lightning`. 2022-06-13 23:58:21 +00:00			## PoC in Python with `pytorch-lightning`
			With `execSan`, [`Artheris`](https://github.com/google/atheris) can detect a shell injection bug in [version v1.5.10 of `pytorch-lightning`](https://github.com/PyTorchLightning/pytorch-lightning/tree/1.5.0).
			```shell
			`make pytorch-lightning-1.5.10`
			```

			## PoC in JavaScript with `shell-quote`
			With `execSan`, [`Jsfuzz`](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/jsfuzz) can detect a shell corrpution bug in [the latest version (v1.7.3) of `shell-quote`](https://github.com/substack/node-shell-quote) without any seed.
			```shell
			`make node-shell-quote-v1.7.3`
			```
			This is based on [a shell injection exploit report](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html) of [version v1.7.2 of `shell-quote`](https://github.com/substack/node-shell-quote/tree/v1.7.2).
			`execSan` can also discover the same shell injection bug with a corpus file containing:
			```
			`:`/tmp/tripwire``:`
			```


An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00			`## TODOs`
Detect shell injection based on syntax errors (#7795) * Remove redundant tripwire from Makefile * Detect shell corruption based on syntax errors * Type, name, format, typo, etc. * Error pattern matching logic * clang-format * Code structure fix * Extend the pathname length of shell to be safe * Remove redundant operations on memory read from regs * More specific patterns * Identify sh * Remove redudant substr * Document shell corruption in README.md * Clang-format * Organise printf/debug_log/cerr * Remove a completed TODO * Use readlink instead of `file` * Clang-format 2022-06-06 04:14:01 +00:00			`1. Find real examples of past shell injection vulnerabilities using this.`
Execsan syntax error (minor fixes) (#7806) * Removes the `: ` prefix in our previous pattern to capture case ii and reduce false negatives: 1. Our previous pattern (i.e. `: Syntax error`) is designed to reduce false positives, but it relies on `dash` to print out an error message within one `write` syscall. E.g. `sh: 1: Syntax error: "invalid_command" unexpected`. 2. In some cases, `dash` breaks the message into multiple `write` syscalls. E.g. it invokes 2 `writes` whose buffers respectively contain `sh: 1:`, ` Syntax error: "invalid_command" unexpected`. * Fix outdated wording * A TODO about using more specific patterns of error messages 2022-06-07 01:50:30 +00:00			`2. More specific patterns of error messages (to avoid false postives/negatives)`
			* e.g. cache and concatenate the buffer of consecutive `write` syscalls
			`* e.g. define the RegEx of patterns and pattern-match with buffers`
An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs 2022-05-26 05:37:04 +00:00