One of the methods for finding vulnerabilities in software is using source code analyzers. In this post I want to talk about one of them, namely about RATS (Rough Auditing Tool for Security). The references to RATS were met more than once in respected sources, namely,
here ,
here and
here . However, there was no real use case anywhere.
And so, RATS was created by Fortify, designed to find errors in code written in C / C ++, Perl, Ruby, PHP and Python, and, importantly, is distributed free of charge. We should not expect any special miracles from this utility, however, we will find a place to use the “risky” functions.
Installation
Let's start with the installation of RATS, then an example for the Debian OS (wheezy), the RATS package can be found
here . Download the
wget package
ftp.us.debian.org/debian/pool/main/r/rats/rats_2.3-1_amd64.deb and install
sudo dpkg –i /path/pack.deb.Check if everything is installed correctly, for this we type
rats in the console:
$ rats
Entries in perl database: 33
Entries in ruby ​​database: 46
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Total lines analyzed: 0
Total time 0.000010 seconds
0 lines per secondHere we see how many patterns of typical errors are contained in the RATS database (version 2.3-1).
Example 1
Now let's try out RATS "in battle". To do this, we will write a code that contains the classic buffer overflow error and save it in the vuln_code1.c file:
')
#include <string.h> int main (int argc, char **argv) { char buffer[10]; strcpy(buffer, argv[1]); }
Now we will show this RATS file:
$ rats vuln_code1.cAnalyzing vuln_code1.c
vuln_code1.c: 4: High: fixed size local buffer
Extra care should be taken to ensure that character
on the stack are used. They are prime targets for buffer overflow
attacks.
vuln_code1.c: 5: High: strcpy
Call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000154 seconds
45454 lines per secondRATS tells us about two errors, and both of them assign a high (high) level of danger.
The first "
fixed size local buffer " is the use of a fixed buffer size in line 4 -
char buffer [10].The second “
buffer overflow ” is the buffer overflow in line 5 - when using the
strcpy () function. If instead of the function
strcpy () use
gets () , then the RATS message will look like this:
vuln_code1.c: 5: High: gets
Gets is unsafe !!! No bounds checking is not overflowable by user. Use fgets (buf, size, stdin) insteadExample 2
Let's check how RATS reacts to code containing a format string vulnerability. To do this, we write a defective code, the printf function gets an input string, according to which the function expects two arguments to be pushed onto the stack if this program is run with the specifiers "% x % x "as a parameter, you can see the contents of 4 bytes of the stack.
#include <stdio.h> int main(int arg, char* argv[ ]) { if(argc > 1) printf(argv[1]); return 0; }
RATS saw the error and reported:
vuln_code3.c: 5: High: printf
Check it out.
this function call doesn’t come from an untrusted source
prepared to handle.Example 3
In this example, we use code containing a buffer overflow error when interacting with environment variables:
#include <stdlib.h> int main(int argc, char *argv[ ]) { char *env; char buf[100]; env = getenv("PATH"); if ( env == NULL ) { return 0; } sprintf(buf, "%s", env); return 0; }
Here RATS found 3 errors:
vuln_code4.c: 5: High: fixed size local buffer
Extra care should be taken to ensure that character
on the stack are used. They are prime targets for buffer overflow
attacks.
vuln_code4.c: 6: High: getenv
Environment variables are highly untrustable input. They may be of any length,
and contain any data. Do not make any assumptions regarding content or length.
It is necessary to sanitize them and truncate
them to a reasonable length.Since environment variables can be any length, we should carefully check how long the buffer we allocate to work with them.
vuln_code4.c: 8: High: sprintf
Check it out.
call that didn’t come formatted
characters that the code is not prepared to handle. Additionally, the format
couldn’t result in a buffer
overflow.Example 4
Let's see how things are with other programming languages, and test RATS on a vulnerable perl script:
open(f,$filename); while(<f>) { print; }
if at the input of such a script to submit "| command", then the command will be executed. There is such a vulnerability in the RATS database, he advises us to carefully analyze the input data when using the open () function:
test9.pl:1: Medium: open
If you are still being set up Strings should not be checked for the backtracking / relative path of the components. It is also important to make sure that the path is completed.Features of use
- as a scanned object, you can set the directory containing the source code, RATS will independently find and check all attached files
- the -l flag allows you to force the source language to be checked
- the -noheader flag allows to disable the display of the information header
- the -h flag displays a list and description of other flags
Conclusion
Over the years, RATS should not be considered as a comprehensive vulnerability analyzer for serious projects, but it is quite suitable as an educational option for identifying and understanding textbook errors.
Links
Learn more about buffer overflow vulnerabilities:
www.securitylab.ru/contest/212095.phpA good but challenging book about analyzing and finding software vulnerabilities:
www.ozon.ru/context/detail/id/5238324Article about security in cgi-scripts:
www.getinfo.ru/article358.html