11/**
22 * @name Potential Timebomb
33 * @description Flow from a file last modification date (very likely implant installation time) and an offset to condition statement (the trigger)
4- * @kind problem
4+ * @kind path- problem
55 * @precision Low
66 * @problem.severity warning
77 * @id cs/backdoor/potential-time-bomb
1111
1212import csharp
1313import DataFlow
14+ import DataFlow:: PathGraph
1415
1516/**
1617 * Class that will help to find the source for the trigger file-modification date.
@@ -121,6 +122,7 @@ private class FlowsFromTimeComparisonCallableToSelectionStatementCondition exten
121122 * which is then used for a DateTime comparison timeComparisonCall and the result flows to a Selection statement which is likely a TimeBomb trigger
122123 */
123124predicate isPotentialTimeBomb (
125+ DataFlow:: PathNode pathSource , DataFlow:: PathNode pathSink ,
124126 Call getLastWriteTimeMethodCall , Call timeArithmeticCall , Call timeComparisonCall ,
125127 SelectionStmt selStatement
126128) {
@@ -129,24 +131,26 @@ predicate isPotentialTimeBomb(
129131 DateTimeStruct dateTime , FlowsFromTimeSpanArithmeticToTimeComparisonCallable config2 ,
130132 Node sink2 , FlowsFromTimeComparisonCallableToSelectionStatementCondition config3 , Node sink3
131133 |
134+ pathSource .getNode ( ) = exprNode ( getLastWriteTimeMethodCall ) and
132135 config1 .hasFlow ( exprNode ( getLastWriteTimeMethodCall ) , sink ) and
133136 timeArithmeticCall = dateTime .getATimeSpanArtithmeticCallable ( ) .getACall ( ) and
134137 timeArithmeticCall .getAChild * ( ) = sink .asExpr ( ) and
135138 config2 .hasFlow ( exprNode ( timeArithmeticCall ) , sink2 ) and
136139 timeComparisonCall = dateTime .getAComparisonCallable ( ) .getACall ( ) and
137140 timeComparisonCall .getAnArgument ( ) .getAChild * ( ) = sink2 .asExpr ( ) and
138141 config3 .hasFlow ( exprNode ( timeComparisonCall ) , sink3 ) and
139- selStatement .getCondition ( ) .getAChild * ( ) = sink3 .asExpr ( )
142+ selStatement .getCondition ( ) .getAChild * ( ) = sink3 .asExpr ( ) and
143+ pathSink .getNode ( ) = sink3
140144 )
141145}
142146
143- from
147+ from DataFlow :: PathNode source , DataFlow :: PathNode sink ,
144148 Call getLastWriteTimeMethodCall , Call timeArithmeticCall , Call timeComparisonCall ,
145149 SelectionStmt selStatement
146150where
147- isPotentialTimeBomb ( getLastWriteTimeMethodCall , timeArithmeticCall , timeComparisonCall ,
151+ isPotentialTimeBomb ( source , sink , getLastWriteTimeMethodCall , timeArithmeticCall , timeComparisonCall ,
148152 selStatement )
149- select selStatement ,
153+ select selStatement , source , sink ,
150154 "Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger." ,
151155 timeComparisonCall , timeComparisonCall .toString ( ) , timeArithmeticCall , "an offset" ,
152156 getLastWriteTimeMethodCall , "last modification time of a file"
0 commit comments