Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2000-q1

Vuln-Dev Archives: Re: Secure coding in C (was Re: Administrivi

Re: Secure coding in C (was Re: Administrivia #4883)

Subject: Re: Secure coding in C (was Re: Administrivia #4883)
From: Aviram Jenik (aviramSECURITEAM.COM)
Date: Mon Jan 17 2000 - 00:20:51 CST

Next message: Vanja Hrustic: "Re: ICQ >= 99* + CC Data"
Previous message: Paul Cardon: "Re: Secure coding in C (was Re: Administrivia #4883)"
In reply to: K Martin: "Re: Secure coding in C (was Re: Administrivia #4883)"
Next in thread: Craig H. Rowland: "Re: Secure coding in C (was Re: Administrivia #4883)"
Next in thread: Warner Losh: "Re: Secure coding in C (was Re: Administrivia #4883)"
Next in thread: Blue Boar: "Re: Secure coding in C (was Re: Administrivia #4883)"
Reply: Aviram Jenik: "Re: Secure coding in C (was Re: Administrivia #4883)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nice discussion so far.

So far we played, now let me show you the overflow, which will hopefully
prove nicely why pretty and optimized code is (almost always) the cause of
security errors (not that it *can't* be done securely, it's just usually
*isn't*).

The original code was:
char *a = something();
char *b = something_else();
int len = strlen(a) + strlen(b);
char *c = malloc(len + 1) || die("malloc");
(void) strcat(strcpy(c, a), b);

Nice and tight. Now this is what I can do with it (modified to work under
Win NT):

char str1[33000]="";
char str2[33000]="";

int main(int argc, char* argv[])
{
int i;

for(i=0;i<sizeof(str1)-1;i++) {
str1[i]='A';
}
str1[sizeof(str1)-1]='\0';

for(i=0;i<sizeof(str2)-1;i++) {
str2[i]='A';
}
str2[sizeof(str2)-1]='\0';

char *a = &str1[0];
char *b = &str2[0];
short len = strlen(a) + strlen(b);
char *c = (char *)malloc(len + 1);
if(NULL==c)
return 1;
(void) strcat(strcpy(c, a), b);

return 0;
}

(excuse me for using 'short' instead of 'int', I couldn't remember what the
maximum value of 'int' was. Clearly this works either way).

Short explanation:

str1 and str2 are two buffers which (both) just over the size of max_short
(or max_int or whatever you're trying to overflow). The addition of both is
naturally over max_short, but in this case, it is positive (although this
value is clearly less than the size of the two buffers combined)
==> Overflow
QED.

(I'll leave the actual exploit code writing to Brock ;-) )

-------------------------
Aviram Jenik
SecuriTeam
http://www.SecuriTeam.com

Next message: Vanja Hrustic: "Re: ICQ >= 99* + CC Data"
Previous message: Paul Cardon: "Re: Secure coding in C (was Re: Administrivia #4883)"
In reply to: K Martin: "Re: Secure coding in C (was Re: Administrivia #4883)"
Next in thread: Craig H. Rowland: "Re: Secure coding in C (was Re: Administrivia #4883)"
Next in thread: Warner Losh: "Re: Secure coding in C (was Re: Administrivia #4883)"
Next in thread: Blue Boar: "Re: Secure coding in C (was Re: Administrivia #4883)"
Reply: Aviram Jenik: "Re: Secure coding in C (was Re: Administrivia #4883)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Mon Jan 17 2000 - 00:38:09 CST