[Vuln-dev Challenge] Challenge #2

We are announcing the second challenge. Initially, we wanted to have this out a few days ago but were involved in testing it on multiple platforms. This challenge is a little easier than the first one, since we'd like to see more people attempting to produce a proof-of-concept. If you find it too easy, you're welcome to attempt it in an environment with a non-executable stack/heap to raise the bar a little.

Here's a link to the basic guidelines (for those who missed it):

http://www.securityfocus.com/archive/82/321615/2003-05-13/2003-05-19/0

(also, please retain the [Vuln-dev Challenge] string in the subject line for replies to make for easier filtering for those not interested in challenge related discussion.)

---

/* vulndev2.c */

#include <stdio.h>


#include 



#define BFSIZE 90



int
main(int argc, char *argv[])
{
        char    *bfp;
        char    buf[BFSIZE];
        FILE    *f1;

        if (argc != 3)
                return 1;
        if ( (bfp = malloc(BFSIZE)) == NULL)
                return 1;
        /* log input */
        if ( (f1 = fopen("db.log", "a+")) == NULL)
                return 1;
        fprintf(f1, ";;%s;;", argv[2]);
        fclose(f1);
        strcpy(buf, argv[1]);
        /* read log */
        if ( (f1 = fopen("db.log", "r")) == NULL)
                return 1;
        if (fgets(bfp, BFSIZE, f1) == NULL)
                return 1;

        printf("%s\n", bfp);
        fclose(f1);
        exit(1);
}

---

Dave McKinney
Symantec

keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB  3B29 4D89 3A70 BF91 9DD7