Ruby: port js/hardcoded-data-interpreted-as-code#9896
Conversation
|
QHelp previews: ruby/ql/src/queries/security/cwe-506/HardcodedDataInterpretedAsCode.qhelpHard-coded data interpreted as codeInterpreting hard-coded data (such as string literals containing hexadecimal numbers) as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools. RecommendationExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety. ExampleAs an example of malicious code using this obfuscation technique, consider the following simplified Ruby version of a snippet of backdoor code that was discovered in a dependency of the popular JavaScript def e(r)
[r].pack 'H*'
end
# BAD: hexadecimal constant decoded and interpreted as import path
require e("2e2f746573742f64617461")While this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported. References
|
885b525 to
6356b20
Compare
|
Should this query flag up https://github.com/hahwul/mad-metasploit/blob/master/archive/exploits/windows/local/17177.rb#L97 ? The file is truncated, see the bottom of the file at https://raw.githubusercontent.com/hahwul/mad-metasploit/master/archive/exploits/windows/local/17177.rb. |
|
That's a useful example. The query won't flag that, for a few reasons:
I should at least fix 1. |
alexrford
left a comment
There was a problem hiding this comment.
LGTM overall - I agree that it would be good to extend the DefaultSource to cover sequences of arbitrary character codes as in the metasploit example.
No description provided.