Vulnerability Development mailing list archives
Re: Secure coding in C (was Re: Administrivia #4883)
From: aviram () SECURITEAM COM (Aviram Jenik)
Date: Mon, 17 Jan 2000 08:20:51 +0200
Nice discussion so far. So far we played, now let me show you the overflow, which will hopefully prove nicely why pretty and optimized code is (almost always) the cause of security errors (not that it *can't* be done securely, it's just usually *isn't*). The original code was: char *a = something(); char *b = something_else(); int len = strlen(a) + strlen(b); char *c = malloc(len + 1) || die("malloc"); (void) strcat(strcpy(c, a), b); Nice and tight. Now this is what I can do with it (modified to work under Win NT): char str1[33000]=""; char str2[33000]=""; int main(int argc, char* argv[]) { int i; for(i=0;i<sizeof(str1)-1;i++) { str1[i]='A'; } str1[sizeof(str1)-1]='\0'; for(i=0;i<sizeof(str2)-1;i++) { str2[i]='A'; } str2[sizeof(str2)-1]='\0'; char *a = &str1[0]; char *b = &str2[0]; short len = strlen(a) + strlen(b); char *c = (char *)malloc(len + 1); if(NULL==c) return 1; (void) strcat(strcpy(c, a), b); return 0; } (excuse me for using 'short' instead of 'int', I couldn't remember what the maximum value of 'int' was. Clearly this works either way). Short explanation: str1 and str2 are two buffers which (both) just over the size of max_short (or max_int or whatever you're trying to overflow). The addition of both is naturally over max_short, but in this case, it is positive (although this value is clearly less than the size of the two buffers combined) ==> Overflow QED. (I'll leave the actual exploit code writing to Brock ;-) ) ------------------------- Aviram Jenik SecuriTeam http://www.SecuriTeam.com
Current thread:
- Re: Secure coding in C (was Re: Administrivia #4883), (continued)
- Re: Secure coding in C (was Re: Administrivia #4883) Valery Dachev (Jan 17)
- Netdetect.exe with backdoor? (ICQ) WolF Knox (Jan 15)
- Re: Netdetect.exe with backdoor? (ICQ) Brad Griffin (Jan 15)
- Re: Secure coding in C (was Re: Administrivia #4883) Iván Arce (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) kay (Jan 15)
- Re: Secure coding in C (was Re: Administrivia #4883) Brian Masney (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) K Martin (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Paul Cardon (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) K Martin (Jan 17)
- Re: Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 17)
- Re: Secure coding in C (was Re: Administrivia #4883) Aviram Jenik (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Craig H. Rowland (Jan 17)
- Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days Solar Eclipse (Jan 17)
- Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days Blue Boar (Jan 17)
- Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days kay (Jan 18)
- Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21Days Blue Boar (Jan 18)
- e-commerce site security (was: Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days) Jon Paul, Nollmann (Jan 18)
- Re: Secure coding in C (was Re: Administrivia #4883) Warner Losh (Jan 17)
- Re: Secure coding in C (was Re: Administrivia #4883) Tellier, Brock (Jan 20)
- Re: Secure coding in C (was Re: Administrivia #4883) Marco Walther (Jan 20)
- Re: Secure coding in C (was Re: Administrivia #4883) Seth R Arnold (Jan 21)