Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
312 lines (232 sloc) 15.2 KB
<!DOCTYPE html>
<html prefix="og: http://ogp.me/ns#">
<head>
<link href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet">
<script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
<script src="//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<link href="/theme/css/statocles-bootstrap.css" rel="stylesheet">
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet">
<title>KENTNL's Blog</title>
<meta content="Statocles 0.070" name="generator">
<link href="/blog/index.atom" rel="alternate" type="application/atom+xml">
<link href="/blog/index.rss" rel="alternate" type="application/rss+xml">
<link href="/blog/fulltext.atom" rel="alternate" type="application/atom+xml">
<link href="/blog/fulltext.rss" rel="alternate" type="application/rss+xml">
<meta content="https://avatars0.githubusercontent.com/u/44790?v=3&amp;s=400" property="og:image">
<link href="/theme/plugin/highlight/default.css" rel="stylesheet" type="text/css">
</head>
<body>
<header>
<nav class="navbar navbar-default navbar-static-top" role="navigation">
<div class="container">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
<button class="navbar-toggle" data-target="#top-navbar-collapse-1" data-toggle="collapse" type="button">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">KENTNL&#39;s Blog</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="top-navbar-collapse-1">
<ul class="nav navbar-nav">
<li><a href="/">Blog</a></li>
</ul>
</div>
</div>
</nav>
</header>
<div class="main container">
<div class="row">
<div class="col-md-9">
<main>
<article>
<header>
<h1><a href="/blog/2016/01/02/re-the-perl-jam-2-hashes-are-insecure/">Re: The Perl Jam 2: Hashes are Insecure</a></h1>
<p class="tags">Tags:
<a href="/blog/tag/perl/" rel="tag">perl</a>
<a href="/blog/tag/the-perl-jam-2/" rel="tag">the perl jam 2</a>
</p>
<aside>
<p><time datetime="2016-01-02">
Posted on 2016-01-02
</time>
</p>
</aside>
</header>
<p>This is part 3 in a <a href="/blog/tag/the-perl-jam-2">series</a> of responses to
<a href="https://www.youtube.com/watch?v=eH_u3C2WwQ0">Netanel Rubin&#39;s Presentation: The Perl Jam 2</a>,
for reasons explained in <a href="/blog/2015/12/31/re-the-perl-jam-2-cgi-sucks/">Part 1</a></p>
<p>In his original presentation, Netanel over focused on the assumption that we treat
Hashes and other arbitrary data structures as safe by default.</p>
<p>This is not really true, however, when watching him talk about it, I realised
he was right in a sense, just ... not how he imagined.</p>
<h2 id="hash_keys_are_a_potential_security_risk_">Hash Keys are a Potential Security Risk.<a class="toplink" href="/blog/2016/01/02/re-the-perl-jam-2-hashes-are-insecure/#top">^</a><a class="permalink" href="/blog/2016/01/02/re-the-perl-jam-2-hashes-are-insecure/#hash_keys_are_a_potential_security_risk_">⚓</a></h2>
<p>Under taint mode, strings from external sources are marked &quot;tainted&quot; until somebody manually untaints them.</p>
<p>And then any tainting-sensitive function calls can raise a fatal exception if they are passed sensitive data.</p>
<p>For instance, Take the following JSON file</p>
<pre><code class="hljs">{ <span class="hljs-string">&quot;DROP TABLES *&quot;</span>: <span class="hljs-string">&quot;DROP TABLES *&quot;</span> }
</code></pre>
<p>Now, using the following script:</p>
<pre><code class="hljs"><span class="hljs-keyword">use</span> <span class="hljs-keyword">strict</span>;
<span class="hljs-keyword">use</span> <span class="hljs-keyword">warnings</span>;
<span class="hljs-keyword">use</span> <span class="hljs-function">JSON::MaybeXS</span>;
<span class="hljs-keyword">use</span> <span class="hljs-function">Path::Tiny</span> qw( path );
<span class="hljs-keyword">my</span> <span class="hljs-type">$structure</span> = decode_json(path(&#39;<span class="hljs-string">/tmp/evil.json</span>&#39;)-&gt;slurp_raw);
<span class="hljs-function">system</span>(&quot;<span class="hljs-string">echo </span>&quot; . <span class="hljs-function">join</span> q[], <span class="hljs-function">values</span> <span class="hljs-type">%</span>{<span class="hljs-type">$structure</span>} );
</code></pre>
<p>This example demonstrates that the JSON back-end faithfully preserved taintness
of the external data, and the code fails as expected.</p>
<pre><code class="hljs">$ env -i perl -T /tmp/json.pl
Insecure dependency <span class="hljs-keyword">in</span> system <span class="hljs-keyword">while</span> running with -T switch at /tmp/json.pl line 7.
</code></pre>
<p>However, hash keys are inherently different:</p>
<pre><code class="hljs">- system(&quot;echo &quot; . join q[], values %{$structure} );
<span class="hljs-string">+ system(&quot;echo &quot; . join q[], keys %{$structure} );</span><span class="hljs-string">
</span></code></pre>
<p>And now we have a problem:</p>
<pre><code class="hljs">$ env -i perl -T /tmp/json.pl
DROP TABLES blog page site.yml static theme
</code></pre>
<p><a href="/blog/2016/01/02/re-the-perl-jam-2-hashes-are-insecure/index.html#section-2">Continue reading Re: The Perl Jam 2: Hashes are Insecure...</a></p>
</article>
<article>
<header>
<h1><a href="/blog/2016/01/01/re-the-perl-jam-2-argv-is-evil/">Re: The Perl Jam 2: &lt;&quot;ARGV&quot;&gt; is evil</a></h1>
<p class="tags">Tags:
<a href="/blog/tag/perl/" rel="tag">perl</a>
<a href="/blog/tag/the-perl-jam-2/" rel="tag">the perl jam 2</a>
</p>
<aside>
<p><time datetime="2016-01-01">
Posted on 2016-01-01
</time>
</p>
</aside>
</header>
<p>This is part 2 in a <a href="/blog/tag/the-perl-jam-2">series</a> of responses to
<a href="https://www.youtube.com/watch?v=eH_u3C2WwQ0">Netanel Rubin&#39;s Presentation: The Perl Jam 2</a>,
for reasons explained in <a href="/blog/2015/12/31/re-the-perl-jam-2-cgi-sucks/">Part 1</a></p>
<p>This is on the list of things that Netanel would have best served the Perl
community by filing a bug when he discovered it.</p>
<h2 id="_argv_is_evil"><code>&lt;&quot;ARGV&quot;&gt;</code> is evil<a class="toplink" href="/blog/2016/01/01/re-the-perl-jam-2-argv-is-evil/#top">^</a><a class="permalink" href="/blog/2016/01/01/re-the-perl-jam-2-argv-is-evil/#_argv_is_evil">⚓</a></h2>
<p>Here is the most reduced code you can have that demonstrates the
vulnerability in play.</p>
<pre><code class="hljs"><span class="hljs-keyword">use</span> <span class="hljs-keyword">strict</span>;
<span class="hljs-keyword">use</span> <span class="hljs-keyword">warnings</span>;
<span class="hljs-comment"># Pretend this came in through a CGI Request Paramete</span><span class="hljs-comment">
</span><span class="hljs-variable">@ARGV</span>=( &#39;<span class="hljs-string">echo exploited|</span>&#39; );
<span class="hljs-comment"># This function should return a filehandle, but the user did something</span><span class="hljs-comment">
</span><span class="hljs-comment"># to trick magical_function to return the string &quot;ARGV&quot;</span><span class="hljs-comment">
</span>
<span class="hljs-keyword">my</span> <span class="hljs-type">$filehandle</span> = magical_function();
<span class="hljs-comment"># TRAP</span><span class="hljs-comment">
</span><span class="hljs-keyword">while</span> (&lt;<span class="hljs-type">$filehandle</span>&gt;) {
<span class="hljs-function">print</span> <span class="hljs-variable">$_</span>;
}
</code></pre>
<p>As long as <code>$filehandle</code> is in fact a FileHandle, nothing weird happens.</p>
<p>However, when $filehandle is a <em>string</em>, Perl does something it typically
shouldn&#39;t: It treats the string as a <em>description</em> of a filehandle.</p>
<p><a href="/blog/2016/01/01/re-the-perl-jam-2-argv-is-evil/index.html#section-2">Continue reading Re: The Perl Jam 2: <"argv"> is evil...</"argv"></a></p>
</article>
<article>
<header>
<h1><a href="/blog/2015/12/31/re-the-perl-jam-2-cgi-sucks/">Re: The Perl Jam 2: CGI Sucks</a></h1>
<p class="tags">Tags:
<a href="/blog/tag/perl/" rel="tag">perl</a>
<a href="/blog/tag/the-perl-jam-2/" rel="tag">the perl jam 2</a>
</p>
<aside>
<p><time datetime="2015-12-31">
Posted on 2015-12-31
</time>
</p>
</aside>
</header>
<p>I&#39;m going to be posting a <a href="/blog/tag/the-perl-jam-2">series</a> of entries in response to <a href="https://www.youtube.com/watch?v=eH_u3C2WwQ0">Netanel Rubin&#39;s Presentation: The Perl Jam 2</a>, and this is the first of such entries.</p>
<p>As a whole, I felt he grossly miss-characterised Perl and its community, and made a few glaring errors in his presentation and a few leaps of logic.</p>
<p>Amongst his talk, he covered a handful of Real Bugs, but his presentation made it difficult to realise what they were objectively,
and his hyperbolic and rhetoric technique served not to educate, not to correct, but to mock.</p>
<p>I feel many of his criticisms would have been better addressed as actual bug reports, not a presentation conveying how software has bugs, and that with better clarity
and less rhetorical devices, the important parts of his presentation could have been covered in 5 minutes.</p>
<p>So this is an attempt at clarifying the mistakes in the presentation, and serve as a more objective response where we can unpack the relevant parts,
fix the actual problems, and educate our way past the cultural issues that lead people to make bad choices.</p>
<p>I will of course go into far more detail than is strictly necessary.</p>
<h2 id="cgi_sucks">CGI Sucks<a class="toplink" href="/blog/2015/12/31/re-the-perl-jam-2-cgi-sucks/#top">^</a><a class="permalink" href="/blog/2015/12/31/re-the-perl-jam-2-cgi-sucks/#cgi_sucks">⚓</a></h2>
<h3>And its Documented that Nobody should use it</h3>
<p>Netanel did not identify this quirk as such, but it underlies a significant chunk of his presentation.</p>
<p>Both <code>CGI.pm</code> and the CGI protocol imply serious limitations on the security and performance of your Web Application,
and has been recommended against by everyone worth listening to, and is even documented as such
<a href="https://metacpan.org/pod/release/LEEJO/CGI-4.25/lib/CGI.pod#CGI.pm-HAS-BEEN-REMOVED-FROM-THE-PERL-CORE"><strong>IN CGI.pm itself</strong></a></p>
<blockquote>
<p>CGI.pm is no longer considered good practice for developing web applications, including quick prototyping and small web scripts.
There are far better, cleaner, quicker, easier, safer, more scalable, more extensible, more modern alternatives available at this point in time.</p>
</blockquote>
<p>The CGI protocol significantly blurs the lines between the Command Line interface, and the Web, in ways that prove to be detrimental,
and can serve as an amplifier for bugs and security risks.</p>
<p>One of the attacks he demonstrates relies heavily on a behaviour in Perl that is deemed useful for command line programs: The ability
for the caller ( that is, the user of the command line program ), to specify, by way of arguments, names of arbitrary programs to execute to retrieve their output.</p>
<p>This turns out to be a grave trap in a Web context, as HTTP <code>GET</code> Request parameters are passed to the CGI application as parameters to <code>@ARGV</code>,
much like parameters on the command line.</p>
<p>And that means any code that happens to utilize that &quot;execute arbitrary programs based on arguments in <code>@ARGV</code>&quot; path
( either by intent, or by way of exploiting a bug ) is simply waiting for the day when some user on the internet can forge a request such as:</p>
<pre><code>http://example.org/fake.cgi?rm -rf /|
</code></pre>
<p>And maybe find enough magic spice to trigger the <a href="/blog/2016/01/01/re-the-perl-jam-2-argv-is-evil/">&quot;be a command line and execute that&quot; condition.</a></p>
<p>And this would clearly be bad.</p>
<p>But this risk exists because of the Command-Line-as-a-Web-Protocol design flaw.</p>
<p><a href="/blog/2015/12/31/re-the-perl-jam-2-cgi-sucks/index.html#section-2">Continue reading Re: The Perl Jam 2: CGI Sucks...</a></p>
</article>
</main>
<ul class="pager">
<li class="previous disabled">
<span>← Older</span>
</li>
<li class="next disabled">
<span>Newer →</span>
</li>
</ul>
</div>
<div class="sidebar col-md-3">
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/perl/">perl</a></li>
<li><a href="/blog/tag/the-perl-jam-2/">the perl jam 2</a></li>
</ul>
<h1>Feeds</h1>
<ul class="list-inline">
<li>
<a href="/blog/index.atom" rel="alternate" type="application/atom+xml">
Atom
</a>
</li>
<li>
<a href="/blog/index.rss" rel="alternate" type="application/rss+xml">
RSS
</a>
</li>
<li>
<a href="/blog/fulltext.atom" rel="alternate" type="application/atom+xml">
Atom FullText
</a>
</li>
<li>
<a href="/blog/fulltext.rss" rel="alternate" type="application/rss+xml">
RSS FullText
</a>
</li>
</ul>
</div>
</div>
</div>
<footer>
<div class="container tagline">
<a href="http://preaction.me/statocles">Made with Statocles</a><br>
<a href="http://www.perl.org">Powered by Perl</a>
</div>
</footer>
</body>
</html>