mailing list archives
cIFrex: How to use Regular Expressions in Research
From: Maksymilian Arciemowicz <cxib () cxsecurity com>
Date: Tue, 01 May 2012 12:06:38 +0200
cIFrex is a small script written in PHP, which supports search for bugs
in the analysis of the source code. Using the database of filters based
on regular expressions, you can quickly locating the code, in which the
probability of failure is high. You will just need to have the source
code on a computer with the access to cIFrex in order to be able to
fully benefit from the possibilities of the new methodology.
Since 2010, cIFrex has been used in my private research. Creating new
filters, I have discovered a lot of bugs like Resource Exhaustion in
libc, apache or vsftpd. The problem with recursion was very easy to
locate. In vsftpd and libc, the PoC contained '*' char.
/* Collapse multiple stars. */
while (c == '*')
/* Any incoming string left means no match unless we ended on the correct
* type of wildcard.
if (str_getlen(&name_remain_str) > 0 && last_token != '*')
Many stars have been used in the demonstration of PoC for apache
and vsftpd. According to intuition, where is '*' char also is a recursion.
Recursion in fnmatch() and vsf_filename_passes_filter(), can be
V1: (?:int |char |^)(?<v1>\w+)\(.*
to see all files, where '*' was used, use T2 pattern
in result, we retrieve a list of probably vulnerable files. But you
need more luck and good intuition.
Remember that cIFrex:
- only helps to search for the bugs
- the search results does not guarantee the appearance of the
- the more exact the regular expression, the larger probability of the
appearance of the susceptibilities
cIFrex may be used to catch bugs not only in C language. Using filter like:
we may catch a lot of Cross Site Scripting (CWE-79) vulnerabilities. Or
SQL Injection (CWE-89) using:
V1: \$(?<v1>\w+) \=.*\$_(?:GET|POST)\[(?<v2>.*)\]
List of filters
cIFrex filters are based on regular expressions, describing given kind
of mistake together with the CWE identifiers
Download the latest stable version of the code:
CVE Full Map
More about project
Maksymilian Arciemowicz (CXSecurity.com)
pub 4096R/D6E5B530 2010-09-19
uid Maksymilian Arciemowicz (cx) <max () cxib net>
sub 4096R/58BA663C 2010-09-19
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- cIFrex: How to use Regular Expressions in Research Maksymilian Arciemowicz (May 01)