RATS Source Code Analyzer
One of the methods for finding vulnerabilities in software is the use of source analyzers. In this post I want to talk about one of them, namely, RATS (Rough Auditing Tool for Security). Mention of RATS met more than once in respected sources, namely here , here and here . However, there was no real example of use anywhere.
And so, RATS was created by Fortify, designed to find bugs in code written in C / C ++, Perl, Ruby, PHP and Python, and, importantly, is distributed free of charge. You should not expect special miracles from this utility, however, we will find a place to use "risky" functions.
Let's start by installing RATS, then an example for the Debian OS (wheezy), the RATS package can be taken here . Download the wget deb package ftp.us.debian.org/debian/pool/main/r/rats/rats_2.3-1_amd64.deb and install sudo dpkg –i / path / package.deb.
Check if everything is installed correctly, for this in the console we type rats :
$ rats
Entries in perl database: 33
Entries in ruby database: 46
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Total lines analyzed: 0
Total time 0.000010 seconds
0 lines per second
Here we see how many typical error patterns are contained in the RATS database (version 2.3-1).
Now let's try the RATS “in battle”. To do this, we write a code that obviously contains a classic buffer overflow error and save it to the vuln_code1.c file:
Now let's show this RATS file: $ rats vuln_code1.c
Analyzing vuln_code1.c
vuln_code1.c: 4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
vuln_code1.c: 5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000154 seconds
45454 lines per second
RATS tells us about two errors, with both of them assigning a high level of danger.
The first is “ fixed size local buffer"- using a fixed buffer size in line 4 - char buffer [10].
The second “ buffer overflow ” is the buffer overflow on line 5 — when using the strcpy () function . If you use gets () instead of the strcpy () function , the RATS message will look like this: vuln_code1.c: 5: High: gets Gets is unsafe !!! No bounds checking is performed, buffer is easily overflowable by user. Use fgets (buf, size, stdin) instead
We’ll check how RATS reacts to code that contains format string vulnerabilities. To do this, we write defective code, the printf function receives an input string, according to which the function expects two arguments to be put on the stack before it is called if the program is started with the specifiers "% x % x "as a parameter, you can see the contents of 4 bytes of the stack.
RATS saw the error and reported:
vuln_code3.c: 5: High: printf
Check to be sure that the non-constant format string passed as argument 1 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.
In this example, we use code containing a buffer overflow error when interacting with environment variables:
Here the RATS found 3 errors:
vuln_code4.c: 5: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
vuln_code4.c: 6: High: getenv
Environment variables are highly untrustable input. They may be of any length,
and contain any data. Do not make any assumptions regarding content or length.
If at all possible avoid using them, and if it is necessary, sanitize them and truncate
them to a reasonable length.
Since environment variables can be of any length, we should carefully check how long the buffer we allocate to work with them.
vuln_code4.c: 8: High: sprintf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle. Additionally, the format
string could contain `% s' without precision that could result in a buffer
overflow.
Let's see how things are with other programming languages, and test RATS on a vulnerable perl script:
if you enter “| command” to the input of such a script, the command will be executed. There is such a vulnerability in the RATS database, he advises us to carefully analyze the input data when using the open () function:
test9.pl:1: Medium: open
The filename argument of open should be carefully checked if it is being created with any user-supplied string as a compontent of it. Strings should be checked for occurences of path backtracking / relative path components (../ as an example), or nulls, which may cause the underlying C call to interpret the filename to open differently than expected. It is also important to make sure that the final filename does not end in a "|", as this will cause the path to be executed.
Over the years, it is not worth considering RATS as a comprehensive analyzer of vulnerabilities in serious projects, however, it is quite suitable as a training option for identifying and understanding textbook errors.
More information about buffer overflow vulnerabilities: www.securitylab.ru/contest/212095.php
A good but complicated book about analyzing and searching for vulnerabilities in software: www.ozon.ru/context/detail/id/5238324
An article about security in cgi- scripts: www.getinfo.ru/article358.html
And so, RATS was created by Fortify, designed to find bugs in code written in C / C ++, Perl, Ruby, PHP and Python, and, importantly, is distributed free of charge. You should not expect special miracles from this utility, however, we will find a place to use "risky" functions.
Installation
Let's start by installing RATS, then an example for the Debian OS (wheezy), the RATS package can be taken here . Download the wget deb package ftp.us.debian.org/debian/pool/main/r/rats/rats_2.3-1_amd64.deb and install sudo dpkg –i / path / package.deb.
Check if everything is installed correctly, for this in the console we type rats :
$ rats
Entries in perl database: 33
Entries in ruby database: 46
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Total lines analyzed: 0
Total time 0.000010 seconds
0 lines per second
Here we see how many typical error patterns are contained in the RATS database (version 2.3-1).
Example 1
Now let's try the RATS “in battle”. To do this, we write a code that obviously contains a classic buffer overflow error and save it to the vuln_code1.c file:
#include
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, argv[1]);
}
Now let's show this RATS file: $ rats vuln_code1.c
Analyzing vuln_code1.c
vuln_code1.c: 4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
vuln_code1.c: 5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000154 seconds
45454 lines per second
RATS tells us about two errors, with both of them assigning a high level of danger.
The first is “ fixed size local buffer"- using a fixed buffer size in line 4 - char buffer [10].
The second “ buffer overflow ” is the buffer overflow on line 5 — when using the strcpy () function . If you use gets () instead of the strcpy () function , the RATS message will look like this: vuln_code1.c: 5: High: gets Gets is unsafe !!! No bounds checking is performed, buffer is easily overflowable by user. Use fgets (buf, size, stdin) instead
Example 2
We’ll check how RATS reacts to code that contains format string vulnerabilities. To do this, we write defective code, the printf function receives an input string, according to which the function expects two arguments to be put on the stack before it is called if the program is started with the specifiers "% x % x "as a parameter, you can see the contents of 4 bytes of the stack.
#include
int main(int argс, char* argv[ ])
{
if(argc > 1)
printf(argv[1]);
return 0;
}
RATS saw the error and reported:
vuln_code3.c: 5: High: printf
Check to be sure that the non-constant format string passed as argument 1 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.
Example 3
In this example, we use code containing a buffer overflow error when interacting with environment variables:
#include
int main(int argc, char *argv[ ])
{
char *env;
char buf[100];
env = getenv("PATH");
if ( env == NULL ) { return 0; }
sprintf(buf, "%s", env);
return 0;
}
Here the RATS found 3 errors:
vuln_code4.c: 5: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
vuln_code4.c: 6: High: getenv
Environment variables are highly untrustable input. They may be of any length,
and contain any data. Do not make any assumptions regarding content or length.
If at all possible avoid using them, and if it is necessary, sanitize them and truncate
them to a reasonable length.
Since environment variables can be of any length, we should carefully check how long the buffer we allocate to work with them.
vuln_code4.c: 8: High: sprintf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle. Additionally, the format
string could contain `% s' without precision that could result in a buffer
overflow.
Example 4
Let's see how things are with other programming languages, and test RATS on a vulnerable perl script:
open(f,$filename);
while()
{
print;
}
if you enter “| command” to the input of such a script, the command will be executed. There is such a vulnerability in the RATS database, he advises us to carefully analyze the input data when using the open () function:
test9.pl:1: Medium: open
The filename argument of open should be carefully checked if it is being created with any user-supplied string as a compontent of it. Strings should be checked for occurences of path backtracking / relative path components (../ as an example), or nulls, which may cause the underlying C call to interpret the filename to open differently than expected. It is also important to make sure that the final filename does not end in a "|", as this will cause the path to be executed.
Features of use
- as a checked object, you can specify a directory containing the source texts, RATS will independently find and check all attached files
- the -l flag allows you to force the language of the source being checked
- the -noheader flag allows you to disable the display of the information header
- the -h flag displays a list and description of other flags
Conclusion
Over the years, it is not worth considering RATS as a comprehensive analyzer of vulnerabilities in serious projects, however, it is quite suitable as a training option for identifying and understanding textbook errors.
References
More information about buffer overflow vulnerabilities: www.securitylab.ru/contest/212095.php
A good but complicated book about analyzing and searching for vulnerabilities in software: www.ozon.ru/context/detail/id/5238324
An article about security in cgi- scripts: www.getinfo.ru/article358.html