Page 9 - Cyber Warnings
P. 9
Figure 2: CodeSonar warning of a command injection at this line. This is hidden by the macro
DEBUG3_LOG. Initial review of this error might consider this a false positive since the code
appears to be logging an error.
At first glance, this doesn’t look like a problem since all that appears to be happening is debug
logging – a simple, detect an error dump the information to the application log.
However, the DEBUG3_LOG macro is purposely obfuscated and requires further digging. In
Figure 3, we can see the definition of DEBUG3_LOG is a call to system() which executes
commands!
Figure 3: Expanding the macro DEBUG3_LOG reveals DEBUG_DOLOG_SYSTEM which in
turn, translates into a direct call to system(x) - executing whatever command is passed to it.
Why does this look like an insider attack? This vulnerability was purposely written into the code
and the macros have two levels of indirection in order to mask their real purpose. (A hacker
group claimed responsibility for this exploit and injected this into the download archive for
Unreal IRCD.)
Analyzing the Unreal IRCD vulnerability with Binary Analysis
Using CodeSonar’s binary analysis, it’s possible to detect security vulnerabilities from object,
9 Cyber Warnings E-Magazine January 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
