我正在对具有嵌入式 TCL 解释器的系统进行安全测试。该系统接收来自互联网 (HTTP) 的输入,对其进行解析并传递给可定制的 TCL 脚本。在模糊测试期间(在 HTTP 标头中发送二进制垃圾),我注意到日志中存在以下错误:
TCL 错误:执行“foreach header [ XXXXX ] { }”时,引号中的列表元素后跟“{}x”而不是空格
空格
TCL 错误:执行“foreach header [ XXXXX ] {}”时列表中出现不匹配的左引号
这里 XXXXX 是返回由系统解析的 HTTP 标头数组的命令。很抱歉混淆了真正的命令,我希望您理解,在供应商收到有关问题的通知(如果事实证明这是一个问题)之前,我不想公开太多细节。
产生错误的 TCL 代码非常简单:
foreach 标头 [ XXXXX ] { }
据我所知,HTTP 解析是在 TCL 之外完成的,解析后的值可以通过自定义命令(可能作为 TCL 扩展实现)供 TCL 访问。
所以我的问题是:
-
这些错误是否表明系统存在安全问题,例如用户输入验证不足?
-
如果是,是否可以利用此条件通过发送系统特制请求(一种 代码注入攻击?
-
是否有“安全 TCL 编码实践”文档?我找不到任何内容。
I am doing a security test on a system having an embedded TCL interpreter. The system receives input from the Internet (HTTP), parses it and passes to customisable TCL scripts. During a fuzzing test (sending binary garbage in HTTP headers) I have noticed the following errors in the log:
TCL error: list element in quotes followed by "{}x" instead of space while executing "foreach header [ XXXXX ] { }"
or
TCL error: unmatched open quote in list while executing "foreach header [ XXXXX ] {}"
Here XXXXX is a command returning an array of HTTP headers, as parsed by the system. Sorry for obfuscating the real command, I hope you understand I don't want to make too many details public before the vendor is informed about the issue (if it turns out to be an issue).
TCL code producing the error is very simple:
foreach header [ XXXXX ] { }
As far as I can tell, HTTP parsing is done outside of TCL and parsed values made accessible to TCL via custom commands (possibly implemented as TCL extension).
So my questions are:
-
Are these error tell-tale signs of security problems with the system, such as insufficient user input validation?
-
If yes, can this condition be exploited to execute arbitrary TCL statements by sending the system specially crafted request, a kind of code injection attack?
-
Are there any "Secure TCL coding practices" document? I could not find any.
发布评论
评论(1)
您在 comp.lang.tcl 上提出了这个问题,我在其中回复:
它们表明解析代码中存在问题。我猜想
该代码假设它可以假设标头是格式良好的
Tcl 列表,您发现它完全不安全。消毒是为了
使用类似这样的内容:
生成的单词集合保证是一个格式良好的
列表,用于任意输入字符串。
可能不会,除非您将该列表视为代码。
最简单的方法是在安全解释器中进行解析:
请注意,我们还保证构造的列表(例如,那些不在
list以及除此之外的许多其他命令)都是 eval-safe。也就是说:完全等于:
无论这些变量中的内容是什么,都是如此。
You asked this on comp.lang.tcl where I replied with:
They're an indication of problems in the parsing code. I'd guess that
the code is assuming that it can assume that a header is a well-formed
Tcl list, which you've found to be wholly unsafe. Sanitization is to
use something like this:
The resulting collection of words is guaranteed to be a well-formed
list, for an arbitrary input string.
Probably not, not unless you then treat that list as code.
The simplest method is to do the parsing in a Safe Interpreter:
Note that we also guarantee that constructed lists (e.g., those out of
list, and many other commands besides) are eval-safe. That is:is exactly the same as:
This is true whatever is in those variables.