├── README.md
├── dangerous_functions.qry
├── malloc_overflow.qry
└── stack.qry


/README.md:
--------------------------------------------------------------------------------
 1 | Here is a curated list of weggli queries
 2 | ========================================
 3 | 
 4 | You can read them and use them one by one, or launch them by batch:
 5 | 
 6 | Usage:
 7 | 
 8 | ```bash
 9 | $ bash dangerous_functions.qry code.c
10 | $ bash malloc_overflow.qry -e cc sourcedir/
11 | ```
12 | 
13 | There is threee categories:
14 | 
15 | 1. dangerous functions: such as strcpy, system, etc..
16 | 2. stack : tries to detect copies on stack, on other things..
17 | 3. malloc : finding overflows in malloc functions
18 | 
19 | They are autodocumented, you can read them.
20 | 
21 | 


--------------------------------------------------------------------------------
/dangerous_functions.qry:
--------------------------------------------------------------------------------
 1 | #This query tries to list potentially dangerous functions
 2 | #
 3 | #Such as:
 4 | # system(arg): potential injection, we try to detect if arg is not a
 5 | # static string by excluding quotes
 6 | echo " [*] Detecting system() and popen()"
 7 | weggli -R '$fun=^system$' -R '$arg=[^"]' '$fun($arg)' $@
 8 | weggli -R '$arg=[^"]' 'popen($arg,_)' $@
 9 | 
10 | # alloca(var); the use of alloca is discouraged, but it can be used
11 | # safely. We try to find only dynamically alloca()
12 | echo " [*] Detecting alloca() calls"
13 | weggli -R '$fun=^alloca$' '_ = $fun($var);' $@
14 | 
15 | # getenv: is not a security problem, but it can lead to a lot
16 | # of unexpected output when you can modify env vars. Such as TMPDIR,
17 | # PAGER, HOME, etc... a special look must be done for "HTTP_*" because
18 | # it is set by webserver from http headers
19 | 
20 | echo " [*] Detecting getenv calls"
21 | weggli '_ = getenv(_);' $@
22 | 
23 | # gets (not perform bounds checking on the size of its input)
24 | #
25 | echo " [*] Detecting gets()"
26 | weggli -R '$fun=^gets$' '_=$fun(_);' $@
27 | 
28 | # strcpy, strcat, stpcpy (potential overflow). We try to detect if
29 | # src arg is not a static string by excluding quotes.
30 | #
31 | echo " [*] Detecting strcpy(), strcat() and stpcpy()"
32 | weggli -R '$fun=^st[rp]cpy|strcat' -R '$arg=[^"]' '$fun(_,$arg);' $@
33 | 
34 | #This one is interesting, it catches strncpy and memcpy.
35 | #This is a trivial error where src is used as a size instead of dest
36 | weggli -R 'fun=cpy' '{ $fun($dst,$src,strlen($src)); }' $@
37 | weggli -R 'fun=cpy' '{ $size=strlen($src); $fun($dst,$src,$size); }' $@
38 | 
39 | #Next queries are dedicated to format strings
40 | #
41 | #This one detects format string such as: printf(a1); or sprintf(outstring, var1);
42 | #a bit trivial, but always a good catch
43 | #
44 | # we try to detect use of quotes, but there are a lot of false positive. Hard
45 | # to get rid of those, such as:
46 | # char * arg = "abcd\n";
47 | # printf(arg);               <- it will be detected as a format string..
48 | 
49 | echo "[*] Detecting format strings"
50 | weggli -R '$fn=^printf$' -R '$arg=[^"]' '{NOT: $fn(_,_); $fn($arg); }' $@
51 | #catch sprintf and fprintf - looks for syslog and derivate, can lead to
52 | #interesting findings
53 | weggli -R '$fn=^[sf]printf$|syslog' -R '$arg=[^"]*' '{ $fn(_,$arg); }' $@
54 | #catch nprintf
55 | weggli -R '$fn=^[sf]nprintf$' -R '$arg=[^"]*' '{ $fn(_,_,$arg); }' $@
56 | 
57 | 


--------------------------------------------------------------------------------
/malloc_overflow.qry:
--------------------------------------------------------------------------------
 1 | #The goal is to find small allocs, such as alloc(uint8_t a) because
 2 | #it's easy to overflow... Not a vuln by itself, but a starting point
 3 | #for vulns..
 4 | #We can also check if there is a copy after with a parameter which is
 5 | #not a the same as the malloc parameter
 6 | #Note: -u ensure that $size differs with $othersize
 7 | #      -R int8_t will also match uint8_t
 8 | #
 9 | #Use case:
10 | #uint8_t size;
11 | #size = get_size_from_sthing(packet);
12 | #buff = malloc(size)
13 | #memcpy(buff, packet->data, packet->size); //if packet_size is int16 -> overflow...
14 | #
15 | #First request just check alloc with no copy after the malloc in the func.
16 | #Second request check there is an alloc then a copy with other size
17 | 
18 | weggli -u -R 'byte=int8|char|byte|int16|short' \
19 |           -R 'alloc=lloc' \
20 |           -R 'cpy=cpy' \
21 |           '{ $byte $size; $buff = $alloc($size) ; NOT: $cpy($buff,_,$size); }' $@
22 | weggli -u -R 'byte=int8|char|byte|int16|short' \
23 |           -R 'alloc=lloc' \
24 |           -R 'cpy=cpy' \
25 |           '{ $byte $size; $buff = $alloc($size) ; $cpy($buff,_,$othersize); }' $@
26 | 
27 | 
28 | #The goal is to detect overflows in malloc calls, eventually followed by a
29 | #copy. This can lead to various kind of overflows.
30 | #
31 | 
32 | echo " [*] Just alloc overflows"
33 | weggli -R 'alloc=lloc' '{ $size = $(_) + _ ; _ = $alloc($size);}' $@
34 | weggli -R 'alloc=lloc' '{ _ = $alloc(_+_);}' $@
35 | weggli -R 'alloc=lloc' '{ $size = $(_)*_ ; _ = $alloc($size);}' $@
36 | weggli -R 'alloc=lloc' '{ _ = $alloc(_*_);}' $@
37 | 
38 | #Usually this one leads to crashes : alloc small buf then copy something, but it's worth
39 | #checking it
40 | echo " [*] Alloc overflow, then cpy smthin"
41 | weggli -u -R 'alloc=lloc' -R 'cpy=co?py' '{ $size = _($a) + _ ; _ = $alloc($size); $cpy(_,_,$a); }' $@
42 | weggli -u -R 'alloc=lloc' -R 'cpy=co?py' '{ _ = $alloc(_($size)+_); $cpy(_,_,$size); }' $@
43 | weggli -u -R 'alloc=lloc' -R 'cpy=co?py' '{ _ = $alloc(_($size+_)); $cpy(_,_,$size); }' $@
44 | weggli -u -R 'alloc=lloc' -R 'cpy=co?py' '{ $len = _($size+_); _ = $alloc($len); $cpy(_,_,$size); }' $@
45 | 


--------------------------------------------------------------------------------
/stack.qry:
--------------------------------------------------------------------------------
 1 | # This query tries to find copy to a stack buffer.
 2 | # This is not a bug by itself, but it can leads to potential
 3 | # overflow
 4 | #
 5 | echo "strn?cpy to stack buffer"
 6 | weggli -R 'func=^str.*cpy$' '{_ $b[_]; $func($b, _);}' $@
 7 | 
 8 | echo "memcpy to stack buffer"
 9 | weggli -R 'func=memcpy' '{_ $b[_]; $func($b, _, $size);}' $@
10 | #Note: the $size avoids static numbers, such as memcpy(d,s,15);.
11 | 
12 | #too much FP for this one, use at your own
13 | #echo "[*] Find arrays of any type on stack (many many outputs...)"
14 | #weggli '_ $fun(_) { _ $var[_]; }' $@
15 | 
16 | echo "[*] assign an array on stack, then call a fonction with this var. Usually error prone because of context lost"
17 | weggli '_ $fun(_) { _ $var[_]; $f($var); }' $@
18 | 


--------------------------------------------------------------------------------