codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

Ruby: port js/hardcoded-data-interpreted-as-code

Open nickrolfe opened this issue 2 years ago • 3 comments

nickrolfe avatar Jul 26 '22 14:07 nickrolfe

QHelp previews:

ruby/ql/src/queries/security/cwe-506/HardcodedDataInterpretedAsCode.qhelp

Hard-coded data interpreted as code

Interpreting hard-coded data (such as string literals containing hexadecimal numbers) as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.

Recommendation

Examine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.

Example

As an example of malicious code using this obfuscation technique, consider the following simplified Ruby version of a snippet of backdoor code that was discovered in a dependency of the popular JavaScript event-stream npm package:

def e(r)
  [r].pack 'H*'
end

# BAD: hexadecimal constant decoded and interpreted as import path
require e("2e2f746573742f64617461")

While this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.

References

github-actions[bot] avatar Jul 26 '22 14:07 github-actions[bot]

Should this query flag up https://github.com/hahwul/mad-metasploit/blob/master/archive/exploits/windows/local/17177.rb#L97 ? The file is truncated, see the bottom of the file at https://raw.githubusercontent.com/hahwul/mad-metasploit/master/archive/exploits/windows/local/17177.rb.

aibaars avatar Jul 28 '22 14:07 aibaars

That's a useful example. The query won't flag that, for a few reasons:

  1. The string won't be considered a Source, given the current regexp.
  2. I assume we don't model flow through the call to Zlib::Inflate.inflate.
  3. The decompressed data is not actually executed. It's just written to a file.

I should at least fix 1.

nickrolfe avatar Jul 28 '22 14:07 nickrolfe