partial analysis of vulndev-1.c

From: David R. Piegdon <fleshyCPU(at)gmx.net>
Date: Tue May 13 2003 - 14:35:06 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hope its ok that i answer to the list :)

first thing :)
as far as i know, in PLAIN C a function call is not allowed during the definition of a variable
{ char *buf1 = malloc(SIZE); }
but in C++, it is allowed.
but actually i am not that sure, because gcc simply compiles it without a warning. someone knows? i've lent my favorite C book to a friend.

second thing:
two ways are used to copy a string into a buffer: [1] { strncpy(buf2, p2, SIZE); }
and
[2] { for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; }

it is obvious that [1] will always copy SIZE chars. thats bad because in this case, if strlen(p2) >= SIZE, the final string in buf1 will NOT be terminated with a NULL. this could be used later on for something bad. but not in this context.

in opposite, [2] will copy MIN( 0..SIZE , STRLEN(p1)+1 ), that is: MIN( SIZE+1 , STRLEN(p1)+1 ), which will write one char beyond the end of the buffer, if the string p1 is longer or equal SIZE. actually, this string will NEVER be null-terminated (just look, when the for-loop is terminated: if it finds a \000 char)

so here we have two bad things:
1. strings that are not null-terminated (may not be too bad, if handled properly later on when playing with the strings) 2. a buffer overflow, if strlen(p1) >= SIZE. actually my gcc-compiled version does not catch this one with a SIGSEGV, but i don't know why. i've checked it with ddd, it really overwrites one char behind the end of the buffer.

now the question: can we use this buffer overflow? actually in this case not, because the allocation of the buffer is done with malloc. on linux at least :) malloc does not use the stack but it uses the HEAP.
- ------------------------------------------------------------------------ >8

 // vulndev-1.c
 // vuln-dev mailing list security challenge #1
 // by Aaron Adams <aadams@securityfocus.com>
 // Spot the error in this program.

 #include <stdio.h>
 #include <stdlib.h>

 #define SIZE 252

 int
 main(int argc, char *argv[])
 {

         int     i;
         char    *p1, *p2;
         char    *buf1 = malloc(SIZE);
         char    *buf2 = malloc(SIZE);

         if (argc != 3)
                 exit(1);

         p1 = argv[1], p2 = argv[2];
         strncpy(buf2, p2, SIZE);
         for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                 buf1[i] = p1[i];

         free(buf1);
         free(buf2);

         return 0;

 }
- ------------------------------------------------------------------------ >8
- --
 This is a .signature-virus. If you see this, copy it into your .signature!  If you don't know what a .signature is, you've most probably been infected  by another virus of name Microsoft. In this case, please remove yourself  from my fov or infect yourself with linux ;) || GPG public key available -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+wTrcWCFHEwXrEHMRAmd5AJ9cmBJhjC687MaSWsegVlu9URELBwCeOJXH IrTk+Y7gw6UbhGqqWiRGltk=
=OVCZ
-----END PGP SIGNATURE----- Received on Tue May 13 18:21:53 2003