vulns.i4d

源码漏洞检查

/*  First crack at a vulnerability database by John Viega (viega@list.org).
 *  A lot of the background work behind this stuff was done by Tom O'Connor
 *  (toc@list.org).
 *
 *
 *  WARNING:  Keep things in alphabetical order by category if you want
 *            output to alphabatize properly.
 */

// You probably don't want to change these assignments.
NO_RISK       = 0;
LOW_RISK      = 1;
MODERATE_RISK = 2;
RISKY         = 3;
VERY_RISKY    = 4;
MOST_RISKY    = 5;
FALSE         = 0;
TRUE          = 1;

// Handler enumeration.
H_DEFAULT  = 0; // This one can be omitted, but add it if you want.
H_STRCPY   = 1;
H_SPRINTF  = 2;
H_SNPRINTF = 3;
H_SCANF    = 4;
H_SSCANF   = 5;
H_TOCTOUA  = 6;
H_TOCTOUB  = 7;
H_TOCTOUC  = 8;
H_FPRINTF  = 9;
H_PRINTF   = 10;
H_SYSLOG   = 11;

// Commonly used error messages.
BO_LOW  =     "Low risk of buffer overflows.";
BO_MED  =     "At risk for buffer overflows.";
BO_HIGH =     "This function is high risk for buffer overflows";
BO_LOOP =     "Be careful not to introduce a buffer overflow when "
	      "using in a loop.";
BO_LIB  =     "Depending on the lib implementation, can be a buffer overflow "
	      "problem.";
TOCTOUA =     "Can lead to process/file interaction race conditions (TOCTOU "
	      "category A)";
TOCTOUB =     "Can lead to process/file interaction race conditions (TOCTOU "
	      "category B)";
TOCTOUC =     "Can lead to process/file interaction race conditions (TOCTOU "
	      "category C)";
TOCTOUG =     "Can lead to process/file interaction race conditions (TOCTOU "
	      "problems)";
RAND =        "Don't use rand() and friends for security-critical needs.";
EXEC =        "Many potential problems.";
INPUT_DESC =  "Check to make sure malicious input can have no ill effect.";
OPEN_DESC  =  "Can be involved in a race condition if you open things after "
	      "a poor check. "
              "For example, don't check to see if something is not a symbolic "
	      "link before opening it.  Open it, then check bt querying the "
	      "resulting object.  Don't run tests on symbolic file names...";
FORMAT_DESC = "Non-constant format strings can often be attacked.";

// Common solutions
TOCTOU_SOL     = "Manipulate file descriptors, not symbolic names, when "
	         "possible.";
BO_MAXLEN_SOL  = "Make sure that your buffer is really big enough to handle "
	         "a max len string.";
RAND_SOL       = "Use better sources of randomness, like /dev/random (linux) "
	         "or Yarrow (windows).";
EXEC_SOL       = "Close all fds, clean the environment, set the umask to "
	 	 "something good, and reset uids before calling.";
BO_LOOP_SOL    = "Make sure to check your buffer boundries.";
BO_LIB_SOL     = "Truncate all str inputs to a reasonable size before "
		 "calling this.";
SCANF_SOL      = "Use precision specifiers, or do your own parsing.";
INPUT_SOL      = "Carefully check all inputs.";
OPEN_SOL       = "Perform all checks AFTER the open, and based on the "
	         "returned object, not a symbolic name.";
FORMAT_SOL     = "Use a constant format string.";

// Begin function data declarations

FUNC access {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC acct {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC au_to_path {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC basename {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC bcopy {
desc = BO_MED,
solution = BO_MAXLEN_SOL,
risk = MODERATE_RISK
}
FUNC bind {
desc = "potential race condition with access, according to cert.  Also, bind(s, INADDR_ANY, ) followed by setsockopt(s, SOL_SOCKET, SO_REUSEADDR) leads to potential packet stealing vuln",
solution = "Be careful.",
risk = LOW_RISK
}
FUNC catopen {
desc = OPEN_DESC,
solution = OPEN_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC chdir {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC chgrp {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC chmod {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC chown {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC chroot {
desc = "Don't forget to chdir() first!  Also, can lead to process/file interaction race conditions (TOCTOU category A)",
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC copylist {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC creat {
desc = TOCTOUB,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC cuserid {
desc = "According to the man page, don't use it.",
solution = "Should use getpwuid(geteuid()) instead.",
risk = VERY_RISKY
}
FUNC db_initialize {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC dbm_open {
desc = OPEN_DESC,
solution = OPEN_SOL,
risk = RISKY
}
FUNC dbminit {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC dirname {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC dlopen {
desc = "Can lead to race conditions.  Attacker might be able to replace your DLL with his own.",
solution = "Do sufficient sanity checking, but watch out for TOCTOU stuff when you do so.",
risk = RISKY
}
FUNC drand48 {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC erand48 {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC execl {
desc = EXEC,
solution = EXEC_SOL,
risk = RISKY
}
FUNC execle {
desc = EXEC,
solution = EXEC_SOL,
risk = RISKY
}
FUNC execlp {
desc = EXEC,
solution = EXEC_SOL,
risk = RISKY
}
FUNC exect {
desc = EXEC,
solution = EXEC_SOL,
risk = RISKY
}
FUNC execv {
desc = EXEC,
solution = EXEC_SOL,
risk = RISKY
}
FUNC execve {
desc = EXEC,
solution = EXEC_SOL,
risk = RISKY
}
FUNC execvp {
desc = EXEC,
solution = EXEC_SOL,
risk = RISKY
}
FUNC fattach {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC fchmod {
desc = TOCTOUC,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUC
}
FUNC fchown {
desc = TOCTOUC,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUC
}
FUNC fdetatch {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC fdopen {
desc = OPEN_DESC,
solution = OPEN_SOL,
risk = RISKY
}
FUNC fgetc {
desc = BO_LOOP,
solution = BO_LOOP_SOL,
risk = MODERATE_RISK,
input = TRUE
}
FUNC fgets {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK,
input = TRUE
}
FUNC fopen {
desc = OPEN_DESC,
solution = OPEN_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC fprintf {
desc = FORMAT_DESC,
solution = FORMAT_SOL,
risk = LOW_RISK,
handler = H_FPRINTF
}
FUNC fwprintf {
desc = FORMAT_DESC,
solution = FORMAT_SOL,
risk = LOW_RISK,
handler = H_FPRINTF
}
FUNC fread {
desc = INPUT_DESC,
solution = INPUT_SOL,
risk = LOW_RISK,
INPUT = TRUE
}

FUNC freopen {
desc = OPEN_DESC,
solution = OPEN_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC fscanf {
desc = BO_HIGH,
solution = SCANF_SOL,
risk = VERY_RISKY,
handler = H_SSCANF
}
FUNC fstat {
desc = TOCTOUC,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUC
}
FUNC ftok {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC ftw {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC getattr {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC getc {
desc = BO_LOOP,
solution = BO_LOOP_SOL,
risk = MODERATE_RISK,
input = TRUE
}
FUNC getchar {
desc = BO_LOOP,
solution = BO_LOOP_SOL,
risk = MODERATE_RISK,
input = TRUE
}
FUNC getenv {
desc = "Often seen in conjunction with buffer overflows, etc.",
solution = "Remember that env vars can contain arbitrary malicious input.  Test accordingly before use.",
risk = VERY_RISKY, 
input = TRUE
}
FUNC getlogin {
desc = "It is very easy to fool.",
solution = "Don't trust its output.",
risk = VERY_RISKY
}
FUNC getopt {
desc = BO_LIB,
solution = BO_LIB_SOL,
risk = MODERATE_RISK
}
FUNC getopt_long {
desc = BO_LIB,
solution = BO_LIB_SOL,
risk = MODERATE_RISK
}
FUNC getopt_long_only {
desc = BO_LIB,
solution = BO_LIB_SOL,
risk = MODERATE_RISK
}
FUNC getpass {
desc = BO_LIB,
solution = BO_LIB_SOL,
risk = RISKY
}
FUNC gets {
desc = "The input buffer can almost always be overflowed.",
solution = "Use fgets(buf,size,stdin) instead.",
risk = MOST_RISKY,
input = TRUE
}
FUNC jrand48 {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC krb_recvauth {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC krb_set_tkt_string {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC kvm_open {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC lchown {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC link {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC lrand48 {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC lstat {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC mbstowcs {
desc = "Internal stack allocated buffer can be overflown on some versions.",
solution = "Don't use it.",
risk = RISKY
}
FUNC memcpy {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK
}
FUNC mkdir {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC mkdirp {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC mknod {