这些 tcl 错误是否表明代码不安全?

发布于 2024-11-03 00:08:55 字数 854 浏览 7 评论 0 原文

我正在对具有嵌入式 TCL 解释器的系统进行安全测试。该系统接收来自互联网 (HTTP) 的输入,对其进行解析并传递给可定制的 TCL 脚本。在模糊测试期间(在 HTTP 标头中发送二进制垃圾),我注意到日志中存在以下错误:

TCL 错误:执行“foreach header [ XXXXX ] { }”时,引号中的列表元素后跟“{}x”而不是空格

空格

TCL 错误:执行“foreach header [ XXXXX ] {}”时列表中出现不匹配的左引号

这里 XXXXX 是返回由系统解析的 HTTP 标头数组的命令。很抱歉混淆了真正的命令,我希望您理解,在供应商收到有关问题的通知(如果事实证明这是一个问题)之前,我不想公开太多细节。

产生错误的 TCL 代码非常简单:

foreach 标头 [ XXXXX ] { }

据我所知,HTTP 解析是在 TCL 之外完成的,解析后的值可以通过自定义命令(可能作为 TCL 扩展实现)供 TCL 访问。

所以我的问题是:

  1. 这些错误是否表明系统存在安全问题,例如用户输入验证不足?

  2. 如果是,是否可以利用此条件通过发送系统特制请求(一种 代码注入攻击

  3. 是否有“安全 TCL 编码实践”文档?我找不到任何内容。

I am doing a security test on a system having an embedded TCL interpreter. The system receives input from the Internet (HTTP), parses it and passes to customisable TCL scripts. During a fuzzing test (sending binary garbage in HTTP headers) I have noticed the following errors in the log:

TCL error: list element in quotes followed by "{}x" instead of space while executing "foreach header [ XXXXX ] { }"

or

TCL error: unmatched open quote in list while executing "foreach header [ XXXXX ] {}"

Here XXXXX is a command returning an array of HTTP headers, as parsed by the system. Sorry for obfuscating the real command, I hope you understand I don't want to make too many details public before the vendor is informed about the issue (if it turns out to be an issue).

TCL code producing the error is very simple:

foreach header [ XXXXX ] { }

As far as I can tell, HTTP parsing is done outside of TCL and parsed values made accessible to TCL via custom commands (possibly implemented as TCL extension).

So my questions are:

  1. Are these error tell-tale signs of security problems with the system, such as insufficient user input validation?

  2. If yes, can this condition be exploited to execute arbitrary TCL statements by sending the system specially crafted request, a kind of code injection attack?

  3. Are there any "Secure TCL coding practices" document? I could not find any.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

染年凉城似染瑾 2024-11-10 00:08:56

您在 comp.lang.tcl 上提出了这个问题,我在其中回复:

1) 这些错误是否表明存在安全问题
系统,例如用户输入验证不足?

它们表明解析代码中存在问题。我猜想
该代码假设它可以假设标头是格式良好的
Tcl 列表,您发现它完全不安全。消毒是为了
使用类似这样的内容:

set listOfWords [regexp -all -inline {\S+} $someString] 

生成的单词集合保证是一个格式良好的
列表,用于任意输入字符串。

2) 如果是,是否可以利用此条件执行任意 TCL
通过发送系统特制的请求来声明,一种
http://en.wikipedia.org/wiki/Code_injection 攻击?

可能不会,除非您将该列表视为代码。

3) 是否有“安全 TCL 编码实践”文档?任何其他
有关如何安全处理不可信数据的信息来源?

最简单的方法是在安全解释器中进行解析:

interp create -safe parsingInterp 
parsingInterp eval { make the procedures } 
parsingInterp eval [list doTheParse $stringToParse] 

请注意,我们还保证构造的列表(例如,那些不在
list 以及除此之外的许多其他命令)都是 eval-safe。也就是说:

eval [list $a $b $c] 

完全等于:

$a $b $c 

无论这些变量中的内容是什么,都是如此。

You asked this on comp.lang.tcl where I replied with:

1) Are these error tell-tale signs of security problems with the
system, such as insufficient user input validation?

They're an indication of problems in the parsing code. I'd guess that
the code is assuming that it can assume that a header is a well-formed
Tcl list, which you've found to be wholly unsafe. Sanitization is to
use something like this:

set listOfWords [regexp -all -inline {\S+} $someString] 

The resulting collection of words is guaranteed to be a well-formed
list, for an arbitrary input string.

2) If yes, can this condition be exploited to execute arbitrary TCL
statements by sending the system specially crafted request, a kind of
http://en.wikipedia.org/wiki/Code_injection attack?

Probably not, not unless you then treat that list as code.

3) Are there any "Secure TCL coding practices" document? Any other
source of information on how to safely handle untrusted data?

The simplest method is to do the parsing in a Safe Interpreter:

interp create -safe parsingInterp 
parsingInterp eval { make the procedures } 
parsingInterp eval [list doTheParse $stringToParse] 

Note that we also guarantee that constructed lists (e.g., those out of
list, and many other commands besides) are eval-safe. That is:

eval [list $a $b $c] 

is exactly the same as:

$a $b $c 

This is true whatever is in those variables.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文