dmknght · September 11, 2024 07:52
diff --git a/dangerous_methods.yara b/dangerous_methods.yara
 import "elf"
 import "console"

 /*
  To use this rule, simply run: yara <path to this rule> <pah to dir to scan> -r -p 1 -N
  Explain:
    -r: recursively search
    -p 1: Run single thread only. Show console log won't be messed up
    -N: No follow symlink. Ignore duplicate results from symlink
    Suggestion: In future, run with -s could be good
 */

 /*
  Current version of Yara's ELF module doesn't support sort of "is_elf" check, hence I created this module to check if file is an ELF file.
  Scope: Find all dangerous methods that's imported in an ELF file. First version focuses on C's dangerous functions. Those functions should be in "dynsym" of ELF module
  NOTICE1: This one doesn't help finding dangerous method's place to be called. Yara rule doesn't include dissasembly stuff. Please use X-REFT table
  NOTICE2: More compiled ELF file should be supported in the future. For example: Golang, Nim, ...
  NOTICE3: Possible vulnerablities belongs to pointer, wrong buffer length with safe functions (like strncpy), wrong condition operations, ... are out of scope
 */
 private rule is_elf_file {
  condition:
    uint32(0) == 0x464c457f
 }


 // rule C_format_string {
 //   meta:
 //     author = "Nong Hoang Tu"
 //     description = "Find functions that might cause format string vulnerabilities in C"
 //     references = "https://owasp.org/www-community/attacks/Format_string_attack"
 //     version = "11 / Sep (09) / 2024)"
 //     // TODO: This rule is meant to check import functions (or symbols) rather than strings in file. Hence test if rule matches only 1 string is required
 //     // TODO: this should be to test only. In some functions are not 100% vulnerable. It's more or less causes high false positive rate
 //   condition:
 //     is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
 //     (
 //       for any f_name in ("fprint", "print", "sprintf", "snprintf", "vfprintf", "vprintf", "vsprintf", "vsnprintf"):
 //       (
 //         dyn_entry.type == elf.STT_FUNC and
 //         dyn_entry.name == f_name and
 //         console.log(" [*] Found dangerous function ", f_name)
 //       )
 //     )
 // }


 rule C_dangerous_memory_handling {
  meta:
    author = "Nong Hoang Tu"
    description = "Find functions that doesn't check buffer's length when writes data to a dest buffer"
    version = "11 / 09 (Sep) / 2024"
    // Removed "memcpy" and "bcopy"
  condition:
    is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
    (
      for any f_name in ("strcpy", "gets", "scanf","strcat", "sprintf", "vsprintf", "sscanf", "fscanf"):
      (
        dyn_entry.type == elf.STT_FUNC and
        dyn_entry.name == f_name and
        console.log(" [*] Found dangerous memory hanlding: ", f_name)
      )
    )
 }

 rule C_dangerous_system_command {
  meta:
    author = "Nong Hoang Tu"
    description = "Find functions that could lead to os command injection"
    version = "11 / 09 (Sep) / 2024"
  condition:
    is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
    (
      for any f_name in ("system"):
      (
        dyn_entry.type == elf.STT_FUNC and
        dyn_entry.name == f_name and
        console.log(" [*] Found dangerous system execution: ", f_name)
      )
    )
 }


 // rule C_path_operator {
 //    meta:
 //     author = "Nong Hoang Tu"
 //     description = "Find functions that could leads to path traversal"
 //     version = "11 / 09 (Sep) / 2024"
 //   condition:
 //     is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
 //     (
 //       for any f_name in ("fopen", "open", "access", "stat", "chdir", "fchdir"):
 //       (
 //         dyn_entry.type == elf.STT_FUNC and
 //         dyn_entry.name == f_name and
 //         console.log(" [*] Found file operator: ", f_name)
 //       )
 //     )
 // }
	import "elf"
	import "console"

	/*
	To use this rule, simply run: yara <path to this rule> <pah to dir to scan> -r -p 1 -N
	Explain:
	-r: recursively search
	-p 1: Run single thread only. Show console log won't be messed up
	-N: No follow symlink. Ignore duplicate results from symlink
	Suggestion: In future, run with -s could be good
	*/

	/*
	Current version of Yara's ELF module doesn't support sort of "is_elf" check, hence I created this module to check if file is an ELF file.
	Scope: Find all dangerous methods that's imported in an ELF file. First version focuses on C's dangerous functions. Those functions should be in "dynsym" of ELF module
	NOTICE1: This one doesn't help finding dangerous method's place to be called. Yara rule doesn't include dissasembly stuff. Please use X-REFT table
	NOTICE2: More compiled ELF file should be supported in the future. For example: Golang, Nim, ...
	NOTICE3: Possible vulnerablities belongs to pointer, wrong buffer length with safe functions (like strncpy), wrong condition operations, ... are out of scope
	*/
	private rule is_elf_file {
	condition:
	uint32(0) == 0x464c457f
	}


	// rule C_format_string {
	// meta:
	// author = "Nong Hoang Tu"
	// description = "Find functions that might cause format string vulnerabilities in C"
	// references = "https://owasp.org/www-community/attacks/Format_string_attack"
	// version = "11 / Sep (09) / 2024)"
	// // TODO: This rule is meant to check import functions (or symbols) rather than strings in file. Hence test if rule matches only 1 string is required
	// // TODO: this should be to test only. In some functions are not 100% vulnerable. It's more or less causes high false positive rate
	// condition:
	// is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
	// (
	// for any f_name in ("fprint", "print", "sprintf", "snprintf", "vfprintf", "vprintf", "vsprintf", "vsnprintf"):
	// (
	// dyn_entry.type == elf.STT_FUNC and
	// dyn_entry.name == f_name and
	// console.log(" [*] Found dangerous function ", f_name)
	// )
	// )
	// }


	rule C_dangerous_memory_handling {
	meta:
	author = "Nong Hoang Tu"
	description = "Find functions that doesn't check buffer's length when writes data to a dest buffer"
	version = "11 / 09 (Sep) / 2024"
	// Removed "memcpy" and "bcopy"
	condition:
	is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
	(
	for any f_name in ("strcpy", "gets", "scanf","strcat", "sprintf", "vsprintf", "sscanf", "fscanf"):
	(
	dyn_entry.type == elf.STT_FUNC and
	dyn_entry.name == f_name and
	console.log(" [*] Found dangerous memory hanlding: ", f_name)
	)
	)
	}

	rule C_dangerous_system_command {
	meta:
	author = "Nong Hoang Tu"
	description = "Find functions that could lead to os command injection"
	version = "11 / 09 (Sep) / 2024"
	condition:
	is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
	(
	for any f_name in ("system"):
	(
	dyn_entry.type == elf.STT_FUNC and
	dyn_entry.name == f_name and
	console.log(" [*] Found dangerous system execution: ", f_name)
	)
	)
	}


	// rule C_path_operator {
	// meta:
	// author = "Nong Hoang Tu"
	// description = "Find functions that could leads to path traversal"
	// version = "11 / 09 (Sep) / 2024"
	// condition:
	// is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
	// (
	// for any f_name in ("fopen", "open", "access", "stat", "chdir", "fchdir"):
	// (
	// dyn_entry.type == elf.STT_FUNC and
	// dyn_entry.name == f_name and
	// console.log(" [*] Found file operator: ", f_name)
	// )
	// )
	// }