search

NSSL-SJTU / SaTC

A prototype of Shared-keywords aware Taint Checking, a novel static analysis approach that tracks the data flow of the user input between front-end and back-end to precisely detect security vulnerabilities.
280 stars 50 forks source link

Is it Still Run....? #35

Open 5angjun opened 12 months ago

5angjun commented 12 months ago

Hello, I'm sangjun who very interested in your Project.

Now, I'm trying to Run your Poc command below.

I followed your instructions exactly as you directed, but I couldn't achieve the results you guided me to.

the firmware that i used is D-Link 878.

1. bof detect
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi --ghidra_script=ref2sink_bof --taint_check

2. command injection detect
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi -b prog.cgi --taint_check

3. detect injection bugs
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2share -b prog.cgi

python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=share2sink --ref2share_result=/home/satc/res/ghidra_extract_result/prog.cgi/prog.cgi_ref2share.result --ghidra_script=ref2sink_cmdi -b rc --taint_check

스크린샷, 2023-11-23 16-13-22

this is script that i used.

docker pull smile0304/satc
docker run -it -d --privileged --net=host --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --name satc f1e2ce760f4b /bin/bash
docker exec -it satc /bin/bash

cd /home/satc
source .virtualenvs/SaTC/bin/activate

cd SaTC
pip install "colorlog<5"

cd /home/satc/SaTC
1. bof detect
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi --ghidra_script=ref2sink_bof --taint_check

2. command injection detect 
python satc.py -d /home/satc/dlink_878 -o /home/satc/res2 --ghidra_script=ref2sink_cmdi -b prog.cgi --taint_check

3. detect injection
python satc.py -d /home/satc/dlink_878 -o /home/satc/res3 --ghidra_script=ref2share -b prog.cgi

python satc.py -d /home/satc/dlink_878 -o /home/satc/res3 --ghidra_script=share2sink --ref2share_result=/home/satc/res/ghidra_extract_result/prog.cgi/prog.cgi_ref2share.result --ghidra_script=ref2sink_cmdi -b rc --taint_check

i'll show my video for more detail. https://youtu.be/TIIVkZXvQGo

Is it really true that SaTC is functioning? I need a detailed explanation. If so, I would truly appreciate it.

Thanks

-sangjun-

smile0304 commented 11 months ago

Can you provide the running result? I didn't see the corresponding result in the YouTube link. The program encountered an error but did not crash

And I suggest running SaTC using the following command:

docker run -v <mapping>:<mapping> -it smile0304/satc

The startup command you are using will utilize root permissions, and I'm not sure if this will cause new exceptions.

5angjun commented 11 months ago

image

As i show, Since I'm getting this error, I wonder if SaTC is good at detecting vulnerabilities. Additionally, as a result of executing the command on the dlink_878 firmware, the result is that no vulnerabilities were found.

https://github.com/NSSL-SJTU/SaTC/blob/87607b98596a0c0fcd921ad1e5e278f38d1a05f4/src/taint_check/taint_analysis/coretaint.py#L756

https://github.com/NSSL-SJTU/SaTC/blob/87607b98596a0c0fcd921ad1e5e278f38d1a05f4/src/taint_check/taint_analysis/summary_functions.py#L166

https://youtu.be/TIIVkZXvQGo?t=239

Is it possible for the developer who develope SaTC to reproduce the vulnerability of Dlink-878 detection test again?

I really want to try SaTC and I am very interested in it. Please test it just once.