Writing bug-free software is practically impossible, due to the impracticality of predicting every way in which code might be executed.
But even if developers go above and beyond to avoid flaws that can be exploited by hackers, attackers can often still take advantage of vulnerabilities in the design of the underlying programming language.
At the recent Black Hat Europe conference, IOActive security services revealed it had identified flaws in five major, interpreted programming languages that could be used by hackers in crafting an attack.
“With regards to the interpreted programming languages vulnerabilities, software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee,” it writes.
SEE: Hiring kit: Python developer (Tech Pro Research)
“Some of these behaviors pose a security risk to applications that were securely developed according to guidelines.”
These are the five programming languages and the flaws that were identified:
Currently enjoying a surge in usage, Python is regularly used by web and desktop developers, sysadmin/devops, and more recently by data scientists and machine-learning engineers.
The IOActive paper found that Python contains undocumented methods and local environment variables that can be used to execute operating-system commands.
Both Python’s mimetools and pydoc libraries have undocumented methods that can be exploited in this way, which IOActive used to run Linux’s id command.
Popular for web server scripting, sysadmin jobs, network programming and automating various tasks, Perl has been in use since the late 1980s.
IOActive highlights the fact that Perl contains a function that will attempt to execute one of the arguments passed to it as Perl code. It describes the practice as a “hidden feature” within a default Perl function for handling typemaps.
IOActive found that NodeJS’ built-in error messages for its require function could be exploited to determine whether a file name existed on the machine and to leak the first line of files on a system–potentially useful information for an attacker.
The Java implementation of the Ruby programming language was found to allow remote code execution in a way that isn’t possible in Ruby as a base language.
By calling executable Ruby code using a specific function in JRuby, IOActive was able to get the function to execute an operating system command, the Linux command id, by loading a file on a remote server.
The venerable server scripting language was used to call an operating system command, again the Linux command id, using the shell_exec() function and by exploiting the way PHP handles the names of constants.
“Depending on how the PHP application has been developed, this may lead to remote command execution,” say researchers.
That said, many web admins have long known the potential risk posed by PHP’s shell_exec() function, and how to disable it.
Exploitable flaws in each programming language were identified using a tool called a differential fuzzer, which was designed to automatically find vulnerabilities. The fuzzer works by running through a large array of scenarios in each language, calling each of the languages’ native functions with a wide variety of different arguments and observing the results.