I am doing a security test on a system having an embedded TCL interpreter. The system receives input from the Internet (HTTP), parses it and passes to customisable TCL scripts. During a fuzzing test (sending binary garbage in HTTP headers) I have noticed the following errors in the log:
TCL error: list element in quotes followed by "{}x" instead of space while executing "foreach header [ XXXXX ] { }"
or
TCL error: unmatched open quote in list while executing "foreach header [ XXXXX ] {}"
Here XXXXX is a command returning an array of HTTP headers, as parsed by the system. Sorry for obfuscating the real command, I hope you understand I don't want to make too many details public before the vendor is informed about the issue (if it turns out to be an issue).
TCL code producing the error is very simple:
foreach header [ XXXXX ] { }
As far as I can tell, HTTP parsing is done outside of TCL and parsed values made accessible to TCL via custom commands (possibly implemented as TCL extension).
So my questions are:
Are these error tell-tale signs of security problems with the system, such as insufficient user input validation?
If yes, can this condition be exploited to execute arbitrary TCL statements by sending the system specially crafted request, a kind of code injection attack?
Are there any "Secure TCL coding practices" document? I could not find any.
You asked this on comp.lang.tcl where I replied with:
1) Are these error tell-tale signs of security problems with the system, such as insufficient user input validation?
They're an indication of problems in the parsing code. I'd guess that the code is assuming that it can assume that a header is a well-formed Tcl list, which you've found to be wholly unsafe. Sanitization is to use something like this:
set listOfWords [regexp -all -inline {\S+} $someString]
The resulting collection of words is guaranteed to be a well-formed list, for an arbitrary input string.
2) If yes, can this condition be exploited to execute arbitrary TCL statements by sending the system specially crafted request, a kind of http://en.wikipedia.org/wiki/Code_injection attack?
Probably not, not unless you then treat that list as code.
3) Are there any "Secure TCL coding practices" document? Any other source of information on how to safely handle untrusted data?
The simplest method is to do the parsing in a Safe Interpreter:
interp create -safe parsingInterp
parsingInterp eval { make the procedures }
parsingInterp eval [list doTheParse $stringToParse]
Note that we also guarantee that constructed lists (e.g., those out of
list
, and many other commands besides) are eval-safe. That is:
eval [list $a $b $c]
is exactly the same as:
$a $b $c
This is true whatever is in those variables.