aea1b456dd
cc @oliverchang This allows to get rid of false positives such as https://github.com/google/oss-fuzz/blob/master/projects/phmap/phashmap_fuzz.cc#L33 and others which try to scan non-existing directories such as /config |
||
|---|---|---|
| .. | ||
| PoEs | ||
| Makefile | ||
| README.md | ||
| SystemSan.cpp | ||
| target.cpp | ||
| target_file.cpp | ||
| vuln.dict | ||
README.md
System Sanitizers
We use ptrace to instrument system calls made by the target program to detect
various vulnerabilities.
Command injection
This detector currently works by
- Checking if
execveis called with/tmp/tripwire(which comes from our dictionary). - Checking if
execveis invoking a shell with invalid syntax. This is likely caused by our input.
Arbitrary file open
TODO: documentation.
Proof of concept
Cleanup
Note this will delete /tmp/tripwire if it exists.
make clean
Run test
Note this will overwrite /tmp/tripwire if it exists.
make test
Look for one of the following lines:
===BUG DETECTED: Shell injection===
which indicates the detection of executing the planted /tmp/tripwire.
===BUG DETECTED: Shell corruption===
which indicates the detection of executing a syntactic erroneous command.
Command injection PoC in Python with pytorch-lightning
With SystemSan, Artheris can detect a shell injection bug in version v1.5.10 of pytorch-lightning.
make pytorch-lightning-1.5.10
Command injection PoC in JavaScript with shell-quote
With SystemSan, Jsfuzz can detect a shell corrpution bug in the latest version (v1.7.3) of shell-quote without any seed.
make node-shell-quote-v1.7.3
This is based on a shell injection exploit report of version v1.7.2 of shell-quote.
SystemSan can also discover the same shell injection bug with a corpus file containing:
`:`/tmp/tripwire``:`