Re: Secure coding in C (was Re: Administrivia #4883)

[aviram () SECURITEAM COM (Aviram Jenik)]

Nice discussion so far.

So far we played, now let me show you the overflow, which will hopefully
prove nicely why pretty and optimized code is (almost always) the cause of
security errors (not that it *can't* be done securely, it's just usually
*isn't*).

The original code was:
char *a = something();
char *b = something_else();
int len = strlen(a) + strlen(b);
char *c = malloc(len + 1) || die("malloc");
(void) strcat(strcpy(c, a), b);

Nice and tight. Now this is what I can do with it (modified to work under
Win NT):

char str1[33000]="";
char str2[33000]="";

int main(int argc, char* argv[])
{
 int i;

 for(i=0;i<sizeof(str1)-1;i++) {
  str1[i]='A';
 }
 str1[sizeof(str1)-1]='\0';

 for(i=0;i<sizeof(str2)-1;i++) {
  str2[i]='A';
 }
 str2[sizeof(str2)-1]='\0';

 char *a = &str1[0];
 char *b = &str2[0];
 short len = strlen(a) + strlen(b);
 char *c = (char *)malloc(len + 1);
 if(NULL==c)
  return 1;
 (void) strcat(strcpy(c, a), b);

 return 0;
}

(excuse me for using 'short' instead of 'int', I couldn't remember what the
maximum value of 'int' was. Clearly this works either way).

Short explanation:

str1 and str2 are two buffers which (both) just over the size of max_short
(or max_int or whatever you're trying to overflow). The addition of both is
naturally over max_short, but in this case, it is positive (although this
value is clearly less than the size of the two buffers combined)
==> Overflow
QED.

(I'll leave the actual exploit code writing to Brock ;-)  )

-------------------------
Aviram Jenik
SecuriTeam
http://www.SecuriTeam.com