Re: [Lit.] Buffer overruns

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 01/29/05 

Date: Sat, 29 Jan 2005 20:07:40 +0000 (UTC)

Trevor L. Jackson, III wrote:
>David Wagner wrote:
>> foo(char *s) {
>> char dst[80];
>> if (strlen(s) > sizeof(dst))
>> abort();
>> strcpy(dst, s);
>> }
>> bar() {
>> char *s = read_string_from_network();
>> foo();
>> }
>> Do you see the security hole?
>
>I see the defect, but I do not see a security hole (except in the sense
>that any defect, no matter how tiny, could lead to an exploitable hole).

Understandable. This sort of defect can be exploited (in some cases,
depending on the circumstances), but the attack is by no means obvious.

The defect is that an attacker can cause you to write a single '\0'
byte one place past the end of 'dst'; an off-by-one bug. It sounds
hard to believe that an off-by-one bug could possibly be exploitable.
I know I believed for quite some time that off-by-one bugs like this
were very unlikely to be exploitable. But then I saw an exploit, and
realized I had been too trusting.

It turns out there have been cases -- in the wild, with real code --
of off-by-one bugs just like this being exploited to take over the app.
The exploit went something like this: if you're lucky with the stack
frame layout, that '\0' overwrites the low byte of the frame pointer.
If the code in that procedure later uses the frame pointer in the wrong
way, it is going to be reading from or writing to the wrong place (the
address is off by up to 256 positions). This is just enough of a foot
in the door to do horrible things. If I recall, the attack may have only
worked on big-endian (or was that only on little-endian?) architectures.
I've forgotten the reference, but a Google search would probably turn
it up. If you're really curious, I may be able to dig up an example or
two from my archives.

Sometimes it seems like you just can't be too paranoid in this business.

Relevant Pages

  • Re: [Lit.] Buffer overruns
    ... but I do not see a security hole (except in the sense ... >>that any defect, no matter how tiny, could lead to an exploitable hole). ... > If the code in that procedure later uses the frame pointer in the wrong ... > Sometimes it seems like you just can't be too paranoid in this business. ...
    (sci.crypt)
  • Re: Template open/save behavior
    ... "defect". ... Does it do what the CUSTOMER really wanted? ... specifications it is, if the customer didn't want it that way, it's a bug. ... days to be a design bug or a specification bug or an analysis bug. ...
    (microsoft.public.mac.office.word)
  • Re: Template open/save behavior
    ... This page does not contain a definition of the term "bug". ... ISO standards or Carnegie Mellon University publications "bug" is defined as ... those standards is an official glossary of industry terms and definitions. ... of flaw (or defect) which was not intended by the designer of the software. ...
    (microsoft.public.mac.office.word)
  • Re: To be a bug or not to be a bug [Was: Re: Template open/save behavior]
    ... What I say in this forum is often from the standpoint of being a "customer" ... Since I have some exposure to the software industry I know ... behaviour" that IS a defect. ... When it comes to the meaning of "bug", you and I, John (or if you ...
    (microsoft.public.mac.office.word)
  • Re: Template open/save behavior
    ... ISO standards or Carnegie Mellon University publications "bug" is defined as ... A defect, if encountered during execution, may cause a failure ... If the required function is to produce result X and the software does indeed ... I think that as the industry has matured, it has put greater and greater ...
    (microsoft.public.mac.office.word)