OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: fish stiqz (fishANALOG.ORG)
Date: Sun Apr 01 2001 - 19:06:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Sat Mar 31 10:47PM 2001, Makoto Iwamura <iwamuraPB.HIGHWAY.NE.JP> wrote:
    > If you implement printf()(fprintf(),syslog(),,,etc.) that doesn't access
    > arguments more than "num" value, you can protect applications from format
    > string attacks. If we will make a new built-in function instead of calling
    > get_number_of_args, you can get the number of arguments with only one
    > statement added.

    No, You cannot assume that in order to exploit a format string
    vulnerability an attacker must use more arguments than are specified
    at compile time. You *can* successfully exploit a format string
    vulnerability with the same number of arguments or less.
    Consider the following example: (look similar to splitvt?? ;)

    /* fmt.c - format string demo program */
    #include <stdio.h>
    #include <stdlib.h>

    char *config_file = "%s/.programrc";

    void file(char *conf, char *home)
    {
            char buf[256];

            sprintf(buf, config_file, home);

            printf("buf: %s\n", buf);
            return;
    }

    int main(int argc, char **argv)
    {
            char *home = getenv("HOME");

            if(argc == 2)
            {
                    config_file = argv[1];

                    /* make sure we can't overflow it */
                    if(strlen(config_file) > 255)
                            exit(1);
            }
            else
            {
                    /* make sure we can't overflow it */
                    if(strlen(home) + strlen(config_file) - 2 > 255)
                            exit(1);
            }
            file(config_file, home);
            return 0;
    }

    $ gcc -o fmt fmt.c
    $ gdb ./fmt
    (gdb) run %.260xABCD
    Program received signal SIGSEGV, Segmentation fault.
    0x44434241 in ?? ()
    (gdb) info reg
    eax 0x10e 270
    ecx 0x1 1
    edx 0x80485f6 134514166
    ebx 0x231098 2298008
    esp 0xbffffa0c 0xbffffa0c
    ebp 0x32386666 0x32386666
    esi 0x126484 1205380
    edi 0x2 2
    eip 0x44434241 0x44434241
    ...

    I only used one argument to exploit that, if you look closely you'll
    notice it works just like a classical buffer overflow, overwriting the
    return address of the "file" function. Now, if I read this correctly
    your solution would not defend against this. I think a better way to
    solve format string problems is to actually make a parser for it, or
    integrate into the gcc parser itself, (isn't this being done in gcc 3.0?).

    - fish stiqz. 

    --
fish stiqz <fishanalog.org>
   irc>irl?werd():lame()