[Vuln-dev Challenge] Challenge #2

[Dave McKinney <dm () securityfocus com>]

We are announcing the second challenge.  Initially, we wanted to have this
out a few days ago but were involved in testing it on multiple platforms.
This challenge is a little easier than the first one, since we'd like to
see more people attempting to produce a proof-of-concept.  If you find it
too easy, you're welcome to attempt it in an environment with a
non-executable stack/heap to raise the bar a little.

Here's a link to the basic guidelines (for those who missed it):

http://www.securityfocus.com/archive/82/321615/2003-05-13/2003-05-19/0

(also, please retain the [Vuln-dev Challenge] string in the subject line
for replies to make for easier filtering for those not interested in
challenge related discussion.)

---

/* vulndev2.c */

#include <stdio.h>
#include <stdlib.h>

#define BFSIZE 90

int
main(int argc, char *argv[])
{
        char    *bfp;
        char    buf[BFSIZE];
        FILE    *f1;

        if (argc != 3)
                return 1;
        if ( (bfp = malloc(BFSIZE)) == NULL)
                return 1;

        /* log input */
        if ( (f1 = fopen("db.log", "a+")) == NULL)
                return 1;
        fprintf(f1, ";;%s;;", argv[2]);
        fclose(f1);

        strcpy(buf, argv[1]);

        /* read log */
        if ( (f1 = fopen("db.log", "r")) == NULL)
                return 1;
        if (fgets(bfp, BFSIZE, f1) == NULL)
                return 1;

        printf("%s\n", bfp);
        fclose(f1);
        exit(1);
}

---

Dave McKinney
Symantec

keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB  3B29 4D89 3A70 BF91 9DD7