partial analysis of vulndev-1.c
From: David R. Piegdon (fleshyCPU_at_gmx.net)
Date: 05/13/03
- Previous message: Bernie Cosell: "Re: Administrivia: List Announcement"
- In reply to: Dave McKinney: "Administrivia: List Announcement"
- Next in thread: Dana Epp: "Re: partial analysis of vulndev-1.c"
- Reply: Dana Epp: "Re: partial analysis of vulndev-1.c"
- Reply: master of chaos - lord of mean: "Re: partial analysis of vulndev-1.c"
- Maybe reply: Michael Wojcik: "FW: partial analysis of vulndev-1.c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vuln-dev@securityfocus.com Date: Tue, 13 May 2003 20:35:06 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hope its ok that i answer to the list :)
first thing :)
as far as i know, in PLAIN C a function call is not allowed
during the definition of a variable
{ char *buf1 = malloc(SIZE); }
but in C++, it is allowed.
but actually i am not that sure, because gcc simply compiles it
without a warning. someone knows? i've lent my favorite C book
to a friend.
second thing:
two ways are used to copy a string into a buffer:
[1] { strncpy(buf2, p2, SIZE); }
and
[2] { for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; }
it is obvious that [1] will always copy SIZE chars.
thats bad because in this case, if strlen(p2) >= SIZE, the final string
in buf1 will NOT be terminated with a NULL.
this could be used later on for something bad. but not in this context.
in opposite, [2] will copy MIN( 0..SIZE , STRLEN(p1)+1 ),
that is: MIN( SIZE+1 , STRLEN(p1)+1 ), which will write one char beyond
the end of the buffer, if the string p1 is longer or equal SIZE.
actually, this string will NEVER be null-terminated
(just look, when the for-loop is terminated: if it finds a \000 char)
so here we have two bad things:
1. strings that are not null-terminated (may not be too bad, if handled
properly later on when playing with the strings)
2. a buffer overflow, if strlen(p1) >= SIZE.
actually my gcc-compiled version does not catch this one with a SIGSEGV,
but i don't know why. i've checked it with ddd, it really overwrites one
char behind the end of the buffer.
now the question: can we use this buffer overflow?
actually in this case not, because the allocation of the buffer is done
with malloc. on linux at least :) malloc does not use the stack but it
uses the HEAP.
- ------------------------------------------------------------------------ >8
// vulndev-1.c
// vuln-dev mailing list security challenge #1
// by Aaron Adams <aadams@securityfocus.com>
// Spot the error in this program.
#include <stdio.h>
#include <stdlib.h>
#define SIZE 252
int
main(int argc, char *argv[])
{
int i;
char *p1, *p2;
char *buf1 = malloc(SIZE);
char *buf2 = malloc(SIZE);
if (argc != 3)
exit(1);
p1 = argv[1], p2 = argv[2];
strncpy(buf2, p2, SIZE);
for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
buf1[i] = p1[i];
free(buf1);
free(buf2);
return 0;
}
- ------------------------------------------------------------------------ >8
- --
This is a .signature-virus. If you see this, copy it into your .signature!
If you don't know what a .signature is, you've most probably been infected
by another virus of name Microsoft. In this case, please remove yourself
from my fov or infect yourself with linux ;) || GPG public key available
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+wTrcWCFHEwXrEHMRAmd5AJ9cmBJhjC687MaSWsegVlu9URELBwCeOJXH
IrTk+Y7gw6UbhGqqWiRGltk=
=OVCZ
-----END PGP SIGNATURE-----
- Previous message: Bernie Cosell: "Re: Administrivia: List Announcement"
- In reply to: Dave McKinney: "Administrivia: List Announcement"
- Next in thread: Dana Epp: "Re: partial analysis of vulndev-1.c"
- Reply: Dana Epp: "Re: partial analysis of vulndev-1.c"
- Reply: master of chaos - lord of mean: "Re: partial analysis of vulndev-1.c"
- Maybe reply: Michael Wojcik: "FW: partial analysis of vulndev-1.c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
