Skip to content

Latest commit

 

History

History

SystemSan

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

System Sanitizers

We use ptrace to instrument system calls made by the target program to detect various vulnerabilities.

Command injection

This detector currently works by

  • Checking if execve is called with /tmp/tripwire (which comes from our dictionary).
  • Checking if execve is invoking a shell with invalid syntax. This is likely caused by our input.

Arbitrary file open

TODO: documentation.

Proof of concept

Cleanup

Note this will delete /tmp/tripwire if it exists.

make clean

Run test

Note this will overwrite /tmp/tripwire if it exists.

make test

Look for one of the following lines:

===BUG DETECTED: Shell injection===

which indicates the detection of executing the planted /tmp/tripwire.

===BUG DETECTED: Shell corruption===

which indicates the detection of executing a syntactic erroneous command.

Command injection PoC in Python with pytorch-lightning

With SystemSan, Artheris can detect a shell injection bug in version v1.5.10 of pytorch-lightning.

make pytorch-lightning-1.5.10

Command injection PoC in JavaScript with shell-quote

With SystemSan, Jsfuzz can detect a shell corrpution bug in the latest version (v1.7.3) of shell-quote without any seed.

make node-shell-quote-v1.7.3

This is based on a shell injection exploit report of version v1.7.2 of shell-quote. SystemSan can also discover the same shell injection bug with a corpus file containing:

`:`/tmp/tripwire``:`

Trophies