SoftwareSecurity2013/Group 6/ScanStats

Uit Werkplaats
Ga naar: navigatie, zoeken

Results Within Scope

Captcha Randomness

The captcha extension uses mt_rand() heavily for deciding what symbols to place inside the captchas. The name of the captcha image file is related by a hash of the contents of the captcha hashed with some random numbers. While the use of a PRNG that is not of cryptographic quality would certainly make it easier to predict what that random number is, an attacker would still have to guess the possible contents of the captchas as well, in order to find a hash pre-image in order to defeat the captcha.

Without a formal analysis, it is difficult to say how unpredictable the captchas are, but there is likely sufficient entropy that successful guessing would be rare enough that manual removal of the resulting SPAM would not be a significant burden. We mark them as Irrelevant. (Erik: I agree with your analysis here. I don't see that a cryptographically strong random number generator would be needed for producing captcha's)

wfGenerateToken deprecated

This function uses insecure random numbers to protect a session, which is semi-cryptographic. It is listed as deprecated so it would be nice to know if any code uses it. As it happens, RATS is extremely good at this type of query and it tells us that the function is not used anywhere in the PHP code base. It should be safe to remove at any time.

Most Randomness False Positives

The non-cryptographic PRNG functions used in mediawiki are used mostly in order that they can carry out scheduling, load-balancing, and other functions that require work to happen on a fairly predictable, periodic basis. One application was to randomly sample session information.

Javascript

Javascript is complicated to analyze because of it's event-oriented nature, we are saving a couple of them for further analysis.

MD5 and SHA1

The popular ignorance surrounding the MD5 and SHA-1 collisions is unfortunate. While it is the case the MD5 has come under very successful attack over recent years, the success was in undermining its collision resistance, not pre-image resistance. We exclude any use of MD5 that depend on pre-image resistance, which to our knowledge remains intact. That accounts for all of the "Weak Cryptographic Hash" messages. (Erik: Good point! Too many people think that all uses of MD5 are insecure)

Cryptographic Algorithms

Notably absent are messages about the use of weak encryption schemes. This is a positive sign.

Tool Comparison

Verified / False Positives

  • COUNT (Verified Positive)
  • COUNT (False Positive)
  • False Positive Rate
  • Verified Positive
  • COUNT (Positive, but OK)

Common Results

When using multiple tools to approach a problem, it is natural to compare the results to see what, if anything they agree on. In our case, we used two runs of Fortify with different methods of input and RATS.

Command Injection

It could be called either way: they could all be called false positives because of the context in which the server runs or real positives because they point something out that could be improved. RATS caught them because it flags every external file execution unconditionally. Fortify is a bit more intelligent about it, but still flags them in the presence of a valid mitigation. We chose to call them positives.

The PATH dependency argument is correct, but for the setting in which the server runs, the user cannot manipulate the PATH of the scripts that are run by the web server. The user can manipulate the PATH for the interactive scripts but since they execute as the calling user, manipulating their behavior does not escalate a local user's privileges.

While these are technically positives and the code could be improved, they are not exploitable because of the particular way that the application is likely to be deployed. A common solution to this class of vulnerability is to set the search path environment variable to a known safe value, as is commonly done in set-uid shell scripts on UNIX systems. The Fortify scanner does not detect that the search path is no longer tainted when this technique is applied and only relents when the shell command begins with a "/" character.

Functions

The "Code Injection' vulnerability is called out against line 2804 of GlobalFunctions.php because it eventually gets called with information from an environment variable. This is ridiculous: it would be like calling the unlink() library function incorrect because there is a program linked against libc that calls unlink() with tainted data. In this case, the program calling it is a utility that is executed from the command line, with the privileges of the executing user. This is a false positive and possibly a bug.


Filename Line Number Status Notes
includes/GlobalFunctions.php 2804 False Positive Part of a function used to execute shell commands
includes/GlobalFunctions.php 2906 Positive external program invocation: user-supplied parameters escaped, path to executable is not defined.
includes/GlobalFunctions.php 2918 Positive external program invocation: user-supplied parameters escaped, path to executable is not defined.
includes/GlobalFunctions.php 2980 False Positive A function is being blamed because it is called with what appears to be tainted data.
includes/MimeMagic.php 882 Positive external program invocation: user-supplied parameters escaped, path to executable is not defined.
maintenance/fuzz-tester.php 2426 Positive function tidyCheckFile() does not check parameter one of its parameters. This PHP file is not executable by default and the file passed to tidy command (which checks whether HTML is valid) is constructed without use of any user-provided data. Fortify automatically marks anything executed without a full path as suspect because it assumes that the PATH variable can be manipulated. In the case of PHP running under a web server, it cannot.
maintenance/mwdocgen.php 152 Positive no full path
maintenance/mwdocgen.php 287 Positive no full path
maintenance/populateImageSha1.php 101 Positive no full path
maintenance/proxy_check.php 45 Positive no full path
maintenance/storage/checkStorage.php 412 Positive no full path


Scanner Statistics

Overall Percentages

False Positives Irrelevant Positive Unknown Total
Fortify Scan 1 96.56% 3.27% 0.15% 0.02% 8275
Fortify Scan 2 96.27% 3.57% 0.14% 0.02% 8300
RATS 2.61% 88.24% 3.92% 5.23% 153

Foritfy Scan #1

Type False Positives Irrelevant Positive Unknown Total
Password Management 7883 34 0 0 7917
Weak Cryptographic Hash 87 23 0 0 110
Insecure Randomness 0 88 4 2 94
System Information Leak 1 29 0 0 30
Command Injection 0 17 6 0 23
Possible Variable Overwrite 0 15 0 0 15
Cookie Security 0 14 0 0 14
Cross-Site Request Forgery 0 12 0 0 12
Dangerous File Inclusion 10 2 0 0 12
JavaScript Hijacking 0 9 1 0 10
Cross-Site Scripting 0 8 0 0 8
SQL Injection 7 0 0 0 7
Hidden Field 0 6 0 0 6
PHP Misconfiguration 1 3 0 0 4
Path Manipulation 0 4 0 0 4
Privilege Management 0 4 0 0 4
Dynamic Code Evaluation 0 1 1 0 2
Code Correctness 1 0 0 0 1
Header Manipulation 0 1 0 0 1
Privacy Violation 0 1 0 0 1
Totals 7990 271 12 2 8275

Fortify Scan #2

type False Positives Irrelevant Positive Unknown Total
Password Management 7884 34 0 0 7918
Weak Cryptographic Hash 87 23 0 0 110
Insecure Randomness 0 88 4 2 94
System Information Leak 1 29 0 0 30
Dangerous File Inclusion 10 18 0 0 28
Command Injection 0 18 6 0 24
Possible Variable Overwrite 0 15 0 0 15
Cookie Security 0 13 0 0 13
Cross-Site Request Forgery 0 12 0 0 12
Cross-Site Scripting 0 11 0 0 11
SQL Injection 7 4 0 0 11
JavaScript Hijacking 0 9 1 0 10
Hidden Field 0 6 0 0 6
Path Manipulation 0 5 0 0 5
Privilege Management 0 4 0 0 4
Dynamic Code Evaluation 0 1 1 0 2
Header Manipulation 0 2 0 0 2
Resource Injection 0 2 0 0 2
Code Correctness 1 0 0 0 1
Open Redirect 0 1 0 0 1
Privacy Violation 0 1 0 0 1
Totals 7990 296 12 2 8300

RATS

These "vulnerabilities" are nothing more than a list of functions that the RATS authors have concluded are bad to use. Their idea is apparently that an auditor should look at every instance of a dangerous function and determine that it is or is not used properly.

type False Positives Irrelevant Positive Unknown Total
fopen 0 69 0 0 69
compile 3 19 0 0 22
is_dir 0 12 0 0 12
is_file 0 8 0 0 8
Backtick 0 3 3 0 6
fsockopen 0 4 0 1 5
popen 0 4 1 0 5
uniform 0 0 0 4 4
passthru 0 1 2 0 3
eval 0 2 0 0 2
gzopen 0 2 0 0 2
is_readable 0 2 0 0 2
is_writable 0 2 0 0 2
mail 0 2 0 0 2
randint 0 0 0 2 2
stat 0 2 0 0 2
chdir 0 1 0 0 1
is_link 0 1 0 0 1
pfsockopen 0 1 0 0 1
randrange 0 0 0 1 1
system 1 0 0 0 1
Totals 4 135 6 8 153