Vulnerability Development mailing list archives
partial analysis of vulndev-1.c
From: "David R. Piegdon" <fleshyCPU () gmx net>
Date: Tue, 13 May 2003 20:35:06 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hope its ok that i answer to the list :) first thing :) as far as i know, in PLAIN C a function call is not allowed during the definition of a variable { char *buf1 = malloc(SIZE); } but in C++, it is allowed. but actually i am not that sure, because gcc simply compiles it without a warning. someone knows? i've lent my favorite C book to a friend. second thing: two ways are used to copy a string into a buffer: [1] { strncpy(buf2, p2, SIZE); } and [2] { for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; } it is obvious that [1] will always copy SIZE chars. thats bad because in this case, if strlen(p2) >= SIZE, the final string in buf1 will NOT be terminated with a NULL. this could be used later on for something bad. but not in this context. in opposite, [2] will copy MIN( 0..SIZE , STRLEN(p1)+1 ), that is: MIN( SIZE+1 , STRLEN(p1)+1 ), which will write one char beyond the end of the buffer, if the string p1 is longer or equal SIZE. actually, this string will NEVER be null-terminated (just look, when the for-loop is terminated: if it finds a \000 char) so here we have two bad things: 1. strings that are not null-terminated (may not be too bad, if handled properly later on when playing with the strings) 2. a buffer overflow, if strlen(p1) >= SIZE. actually my gcc-compiled version does not catch this one with a SIGSEGV, but i don't know why. i've checked it with ddd, it really overwrites one char behind the end of the buffer. now the question: can we use this buffer overflow? actually in this case not, because the allocation of the buffer is done with malloc. on linux at least :) malloc does not use the stack but it uses the HEAP. - ------------------------------------------------------------------------ >8 // vulndev-1.c // vuln-dev mailing list security challenge #1 // by Aaron Adams <aadams () securityfocus com> // Spot the error in this program. #include <stdio.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE); if (argc != 3) exit(1); p1 = argv[1], p2 = argv[2]; strncpy(buf2, p2, SIZE); for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; free(buf1); free(buf2); return 0; } - ------------------------------------------------------------------------ >8 - -- This is a .signature-virus. If you see this, copy it into your .signature! If you don't know what a .signature is, you've most probably been infected by another virus of name Microsoft. In this case, please remove yourself from my fov or infect yourself with linux ;) || GPG public key available -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+wTrcWCFHEwXrEHMRAmd5AJ9cmBJhjC687MaSWsegVlu9URELBwCeOJXH IrTk+Y7gw6UbhGqqWiRGltk= =OVCZ -----END PGP SIGNATURE-----
Current thread:
- Administrivia: List Announcement Dave McKinney (May 13)
- Re: Administrivia: List Announcement David Riley (May 13)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Edinelson Keiji Shimokawa (May 14)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Brian Hatch (May 13)
- Re: Administrivia: List Announcement Wojciech Purczynski (May 14)
- Re: Administrivia: List Announcement Luciano Miguel Ferreira Rocha (May 14)
- vulndev-1.c challenge (was Re: Administrivia: List Announcement) Bennett Todd (May 13)
- Re: Administrivia: List Announcement Bernie Cosell (May 13)
- Re: Administrivia: List Announcement Valdis . Kletnieks (May 15)
- partial analysis of vulndev-1.c David R. Piegdon (May 13)
- Re: partial analysis of vulndev-1.c Dana Epp (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- RE: partial analysis of vulndev-1.c David Schwartz (May 13)
- Re: partial analysis of vulndev-1.c Nexus (May 14)
- Re: partial analysis of vulndev-1.c andrewg (May 13)
- Re: Administrivia: List Announcement David Riley (May 13)
- Re: Administrivia: List Announcement Mr. Rufus Faloofus (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Cameron Brown (May 13)
- RE: Administrivia: List Announcement andrewg (May 13)
- RE: Administrivia: List Announcement Shafik Yaghmour (May 13)