Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
{ char buffer[1024];
GetPassword(buffer);
....
}
/*****/
int GetPassword (char *buffer,char *username)
{
....
}
Now, I am not a programmer, but is it correct that the logical fault
in this program is that the function takes to arguments, and only 1
argument is sent to it? Could this be misused`?
The asterix has something to do with pointers. *buffer means that it
is working on the original buffer-variable, or what?
I hope anyone can help me get some ideas out of this code.
22  2306 
Tommy <to***********@hotmail.com> scribbled the following: Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
{ char buffer[1024];
GetPassword(buffer);
...
}
/*****/
int GetPassword (char *buffer,char *username)
{
...
}
Now, I am not a programmer, but is it correct that the logical fault
in this program is that the function takes to arguments, and only 1
argument is sent to it? Could this be misused`?
This is indeed incorrect design, but not necessarily fatal, as long
as GetPassword never uses the argument username for anything. If it
does, though, then it causes undefined behaviour, which can have
fatal results, for example the whole program crashing.
The asterix has something to do with pointers. *buffer means that it
is working on the original buffer-variable, or what?
Asterisk! "Asterix" is a comic book figure, a Gaulish warrior with a
yellow moustache, who lived in 50 B.C. and drank magic potion.
Yes, the unary asterisk operation means a pointer type. However, it
does not mean here that it is operating on the original buffer
variable. Such a thing is called "pass by reference" and is impossible
in C. What it does is operate on the *contents* of the original buffer
variable. If you use the [] operator on the buffer variable, you get
the same memory locations both in main and in GetPassword.
I hope anyone can help me get some ideas out of this code.
--
/-- Joona Palaste (pa*****@cc.helsinki.fi) ------------- Finland --------\
\-------------------------------------------------------- rules! --------/
"Shh! The maestro is decomposing!"
- Gary Larson
Tommy wrote: Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
^ logically? used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
Missing return value.
{ char buffer[1024];
GetPassword(buffer);
Missing function declaration. Fixed size buffer without passing bounds.
int GetPassword (char *buffer,char *username)
Real function signature does not match usage above.
Now, I am not a programmer, but is it correct that the logical fault
in this program is that the function takes to arguments, and only 1
argument is sent to it?
The function wants two arguments but it is called with only one.
Could this be misused`?
Anything could happen, you have left the grounds of well-formed C.
The asterix has something to do with pointers. *buffer means that it
is working on the original buffer-variable, or what?
Sorry, but you seriously need to get a book on C, it would take too long to
explain. What you could do to understand this code is to compile it and
look at the generated assembly, in case you can read that.
Uli
"Tommy" writes: Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
{ char buffer[1024];
GetPassword(buffer);
...
}
/*****/
int GetPassword (char *buffer,char *username)
Are you sure you copied this correctly? This should not even run. Code
that can not run does not present a security problem.
"osmium" <r1********@comcast.net> wrote
Are you sure you copied this correctly? This should not even run. Code
that can not run does not present a security problem.
C compilers tend to be rather lax on prototyping, because of backwards
compatibility. It is possible to call a function returning an integer with
the wrong number of arguments and no prototype in scope.
Tommy wrote: Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
{ char buffer[1024];
GetPassword(buffer);
...
}
/*****/
int GetPassword (char *buffer,char *username)
{
...
}
Now, I am not a programmer, but is it correct that the logical fault
in this program is that the function takes to arguments, and only 1
argument is sent to it? Could this be misused`?
That is a syntactic fault, not a logical fault. Were the syntax errors
fixed, there would probably still be a logical fault, a buffer overflow
vulnerability. Whether or not this would actually be present depends on
the details of GetPassword. (Unless you consider passwords limited to
1023 characters to be a fault. I don't often push that limit, myself.)
-josh
In article <7c**************************@posting.google.com >, to***********@hotmail.com (Tommy) wrote: Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
{ char buffer[1024];
GetPassword(buffer);
...
}
/*****/
int GetPassword (char *buffer,char *username)
{
...
}
Now, I am not a programmer, but is it correct that the logical fault
in this program is that the function takes to arguments, and only 1
argument is sent to it? Could this be misused`?
The asterix has something to do with pointers. *buffer means that it
is working on the original buffer-variable, or what?
I hope anyone can help me get some ideas out of this code.
1. If you are lucky, then the program will crash all the time because
when "GetPassword" tries to user "username", it will just get garbage.
2. If you are very lucky then the compiler will catch this error.
3. If you are unlucky, people will use the code, and then comes Joe E.
Hacker and takes control of their computers.
4. That is why a programmer who still hasn't heard of a "buffer overflow
vulnerability" shouldn't be let anywhere near a computer.
On 7 Nov 2004 18:59:34 GMT, Joona I Palaste <pa*****@cc.helsinki.fi>
wrote in comp.lang.c: Tommy <to***********@hotmail.com> scribbled the following: Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
{ char buffer[1024];
GetPassword(buffer);
...
}
/*****/
int GetPassword (char *buffer,char *username)
{
...
}
Now, I am not a programmer, but is it correct that the logical fault
in this program is that the function takes to arguments, and only 1
argument is sent to it? Could this be misused`?
This is indeed incorrect design, but not necessarily fatal, as long
as GetPassword never uses the argument username for anything. If it
does, though, then it causes undefined behaviour, which can have
fatal results, for example the whole program crashing.
What you say in the paragraph above is totally and completely wrong.
Calling a function in the absence of a prototype results in undefined
behavior if the number and types of all arguments, after the default
promotions, does not match the definition of the function.
There is absolutely no dispensation for unused arguments. None
whatsoever. If the function actually works, whether or not it
accesses the second argument, is just a matter of luck (good or bad).
--
Jack Klein
Home: http://JK-Technology.Com
FAQs for
comp.lang.c http://www.eskimo.com/~scs/C-faq/top.html
comp.lang.c++ http://www.parashift.com/c++-faq-lite/
alt.comp.lang.learn.c-c++ http://www.contrib.andrew.cmu.edu/~a...FAQ-acllc.html
"Christian Bau" <ch***********@cbau.freeserve.co.uk> wrote in message
news:ch*********************************@slb-newsm1.svr.pol.co.uk... In article <7c**************************@posting.google.com >,
to***********@hotmail.com (Tommy) wrote:
Hi all. I am studying computer security, and I got this short and
simple (?) c-code. Something is logical wrong in this code, and if
used in the wrong hands of someone, it could be taken advantage of.
Here is the code:
main ()
{ char buffer[1024];
GetPassword(buffer);
...
}
/*****/
int GetPassword (char *buffer,char *username)
{
...
}
Now, I am not a programmer, but is it correct that the logical fault
in this program is that the function takes to arguments, and only 1
argument is sent to it? Could this be misused`?
The asterix has something to do with pointers. *buffer means that it
is working on the original buffer-variable, or what?
I hope anyone can help me get some ideas out of this code.
1. If you are lucky, then the program will crash all the time because
when "GetPassword" tries to user "username", it will just get garbage.
2. If you are very lucky then the compiler will catch this error.
3. If you are unlucky, people will use the code, and then comes Joe E.
Hacker and takes control of their computers.
4. That is why a programmer who still hasn't heard of a "buffer overflow
vulnerability" shouldn't be let anywhere near a computer.
This is off-topic, but theoretically, how would a hacker be able to take
control of a system by exploiting buffer overflow? On a typical Windows
system, the executable would be running with its own stack space. The worst
I can see happening is the program crashing due to an invalid memory
read/write. I doubt OS code/data would be anywhere in or near the program's
address space.
Jack Klein <ja*******@spamcop.net> scribbled the following: On 7 Nov 2004 18:59:34 GMT, Joona I Palaste <pa*****@cc.helsinki.fi>
wrote in comp.lang.c: This is indeed incorrect design, but not necessarily fatal, as long
as GetPassword never uses the argument username for anything. If it
does, though, then it causes undefined behaviour, which can have
fatal results, for example the whole program crashing.
What you say in the paragraph above is totally and completely wrong.
Calling a function in the absence of a prototype results in undefined
behavior if the number and types of all arguments, after the default
promotions, does not match the definition of the function.
There is absolutely no dispensation for unused arguments. None
whatsoever. If the function actually works, whether or not it
accesses the second argument, is just a matter of luck (good or bad).
OK, thanks for correcting me.
--
/-- Joona Palaste (pa*****@cc.helsinki.fi) ------------- Finland --------\
\-------------------------------------------------------- rules! --------/
"You could take his life and..."
- Mirja Tolsa
"Method Man" <a@b.c> wrote in message
news:m%*******************@read2.cgocable.net... This is off-topic, but theoretically, how would a hacker be able to take
control of a system by exploiting buffer overflow?
You can create doctored arguments such that the buffer overwrites the stack.
If you doctor carefully (which is not enormously difficult) you can them
modify the functions return addres (which resides on stack) and effectively
jump to every bit of code you want.
Doctering the input still further and including some "black hat" code into
the call, you can jump to the code that (for instance) opens a back-door by
merely listening on a socket start a virus, which IIRC is the way
SQL-Slammer did it using a buffer overrun in the handling of UDP packets..
On a typical Windows
system, the executable would be running with its own stack space. The
worst I can see happening is the program crashing due to an invalid memory
read/write.
That's good luck. Bad luck is when it doesn't as described above.
I doubt OS code/data would be anywhere in or near the program's
address space.
My knowledge of Windows internals is insufficient to say Ay or Nay here.
However, the proliferation of Windows viruses suggests this may actually not
be much of a problem.
"Method Man" <a@b.c> wrote in message news:<m%*******************@read2.cgocable.net>... This is off-topic, but theoretically, how would a hacker be able to take
control of a system by exploiting buffer overflow? On a typical Windows
system, the executable would be running with its own stack space. The worst
I can see happening is the program crashing due to an invalid memory
read/write. I doubt OS code/data would be anywhere in or near the program's
address space.
The arguments to functions tend to be stored on the stack adjacent to
the return address of the function.
If the buffer can be overflown the memory adjacent to the buffer
on the stack, ie the return address, can be overwritten with arbitary
contents.
This allows the attacker to control program execution by directing it
at some code of his own. "shellcode" is the name usually given to
this code as traditionally it runs a shell, but it could do more.
(Essentially the return address is overwritten with an arbitary value
and the normal function termination finishs with a 'ret' instruction
which causes an effective jump to the address stored).
Google for more details. The classic intro paper is called
"Smashing The Stack For Fun And Profit" and can be easily found. It's
Unix centric but the principle is the same.
The main source of your belief the program will crash is that you seem
to believe that the OS code/data is important. It isn't. (Now a
non-executable stack, or stackguard protection would make it more challenging
but still not insurmountable).
Steve
--- http://shellcode.org/
In article <m%*******************@read2.cgocable.net>,
Method Man <a@b.c> wrote: This is off-topic, but theoretically, how would a hacker be able to take
control of a system by exploiting buffer overflow?
On a typical general-purpose operating system, modifying the stack
will only directly affect the process whose stack it is. Whether that
lets them do more depends on what privileges the process has.
-- Richard
> On a typical general-purpose operating system, modifying the stack will only directly affect the process whose stack it is. Whether that
lets them do more depends on what privileges the process has.
And only provided that the system in question allows execution of any
code that's on the "local stack", which is, in my opinion, a *major
flaw* of the system in itself. The ability of separating data and code
spaces has existed for decades in a lot of different processors.
Too bad very few systems have ever used this feature (except in some
embedded systems, mostly). This is the one feature that would have
saved most of security problems.
I'll list here just a few of the very popular processors/processor lines
which would allow such data/code separation in a sensible manner:
- Most of harvard-like architectures (so, a lot of RISC processors);
- The 68k processors, back to the 68000 (albeit a bit crude on this);
- The x86 series, back to the 286 (with the ability of marking memory
segments as executable or not);
- A whole lot of other processors.
But we're getting a bit off-topic. Sorry.
In article <41***********************@news.club-internet.fr>,
Guillaume <"grsNOSPAM at NOTTHATmail dot com"> wrote: - The x86 series, back to the 286 (with the ability of marking memory
segments as executable or not);
I believe that the inability to prevent execution of pages, rather
than segments, has made this impractical on x86s for many operating
systems up to now. No doubt someone else remembers the detail better
than I do.
-- Richard
>>- The x86 series, back to the 286 (with the ability of marking memory segments as executable or not);
I believe that the inability to prevent execution of pages, rather
than segments, has made this impractical on x86s for many operating
systems up to now. No doubt someone else remembers the detail better
than I do.
Back to my old x86 manuals...
Nope: descriptors could allocate different segments with each its own
priviledge level, access rights (read, write, executable...).
The issue here is that most "multitask, protected" OS's have implemented
protection in a crude manner: each task would get its own segment (which
is good, but not enough) and 'see' its whole address space has a flat
memory model. "Tasks" can't meddle with each other, but they can still
do bad things on their own. Usually, the only area that use better
protection is the 'kernel' of the system. This is true in Linux, as well
as Windows and most other desktop/server OS's...
As I said, some embedded OS's actually make a very nice use of the code
protection feature. As you noticed, though, most OS's on the market just
don't, mainly for complexity reasons.
What infuriates me though, is that some companies are now going to make
huge amounts of money for promoting security features in new systems
that could have been implemented decades ago, surfing on the security
wave. And again, they're going to make people pay for what they failed
to do earlier.
Ok, end of rant. Just to say that here, as well as in a lot of other
areas, such as History, memory's not the most commonly shared thing.
And for those who'd complain this doesn't belong in c.l.c, I beg to
differ. A good understanding of the underlying reality in programming
is an invaluable skill.
In article <41***********************@news.club-internet.fr>,
Guillaume <"grsNOSPAM at NOTTHATmail dot com"> wrote: I believe that the inability to prevent execution of pages, rather
than segments, has made this impractical on x86s for many operating
systems up to now. No doubt someone else remembers the detail better
than I do.
Nope: descriptors could allocate different segments with each its own
priviledge level, access rights (read, write, executable...).
I think that's what I said: you can control execution of segments, not
pages.
The issue here is that most "multitask, protected" OS's have implemented
protection in a crude manner: each task would get its own segment (which
is good, but not enough) and 'see' its whole address space has a flat
memory model.
Having used a few machines which didn't give the programmer a flat
memory model, I can see why they're not popular. I wouldn't use
such a machine now (as a general purpose computer), and I don't imagine
we'll be seeing many.
So yes, you *could* control stack execution on the x86, but only by
providing a model that most people don't want to program to. The fact
that you can't control it with the usual model is just a mistake that
Intel made years ago and apparently hasn't been able to change until now.
-- Richard
"Steve Kemp" <sp**@steve.org.uk> wrote in message
news:aa**************************@posting.google.c om... "Method Man" <a@b.c> wrote in message
news:<m%*******************@read2.cgocable.net>... This is off-topic, but theoretically, how would a hacker be able to take
control of a system by exploiting buffer overflow? On a typical Windows
system, the executable would be running with its own stack space. The
worst I can see happening is the program crashing due to an invalid memory
read/write. I doubt OS code/data would be anywhere in or near the
program's address space.
The arguments to functions tend to be stored on the stack adjacent to
the return address of the function.
If the buffer can be overflown the memory adjacent to the buffer
on the stack, ie the return address, can be overwritten with arbitary
contents.
This allows the attacker to control program execution by directing it
at some code of his own. "shellcode" is the name usually given to
this code as traditionally it runs a shell, but it could do more.
(Essentially the return address is overwritten with an arbitary value
and the normal function termination finishs with a 'ret' instruction
which causes an effective jump to the address stored).
Google for more details. The classic intro paper is called
"Smashing The Stack For Fun And Profit" and can be easily found. It's
Unix centric but the principle is the same.
The main source of your belief the program will crash is that you seem
to believe that the OS code/data is important. It isn't. (Now a
non-executable stack, or stackguard protection would make it more
challenging but still not insurmountable).
Steve
Thanks, I'll do some research. I'd like to smash the stack "for fun" so I
can learn a thing or two. ;-)
I'd like to clarify that this is OT for the thread but not for the
newsgroup. I think learning about the stack and how to write secure C code
is critical for real-world applications and very much on topic.
"Guillaume" <"grsNOSPAM at NOTTHATmail dot com"> wrote in message
news:41***********************@news.club-internet.fr...
<snip> And for those who'd complain this doesn't belong in c.l.c, I beg to
differ. A good understanding of the underlying reality in programming
is an invaluable skill.
Bravo!
Method Man wrote: I'd like to clarify that this is OT for the thread but not for the
newsgroup. I think learning about the stack and how to
write secure C code
is critical for real-world applications and very much on topic.
"the stack" isn't part of C.
--
pete
Method Man wrote: I'd like to clarify that this is OT for the thread but not for the
newsgroup. I think learning about the stack and how to write secure C code
is critical for real-world applications and very much on topic.
Problem is that this will be different between platforms. Sometimes
subtly, sometimes wildly different.
The lessons learned in one system might be completely irrelevant
for others.
--
Thomas.
In article <H4*******************@read2.cgocable.net>, "Method Man" <a@b.c> writes:
I'd like to clarify that this is OT for the thread but not for the
newsgroup. I think learning about the stack and how to write secure C code
is critical for real-world applications and very much on topic.
Discussion of the conditions that produce Undefined Behavior in C is
on-topic for comp.lang.c.
Discussion of the effects of Undefined Behavior, including disruption
of the "stack", which is neither defined nor mandated by the standard,
is relevant only to particular C implementations, and so is off-topic
for comp.lang.c (other than in illustrative asides).
One good forum for discussing exploiting Undefined Behavior in
typical (or specific) C implementations is the Vuln-Dev mailing list
maintained by SecurityFocus.
--
Michael Wojcik mi************@microfocus.com
An intense imaginative activity accompanied by a psychological and moral
passivity is bound eventually to result in a curbing of the growth to
maturity and in consequent artistic repetitiveness and stultification.
-- D. S. Savage
In article <41***********************@news.club-internet.fr>, Guillaume <"grsNOSPAM at NOTTHATmail dot com"> writes: On a typical general-purpose operating system, modifying the stack
will only directly affect the process whose stack it is. Whether that
lets them do more depends on what privileges the process has.
And only provided that the system in question allows execution of any
code that's on the "local stack",
False. Stack-smashing attacks which exploit implementations with
non-executable stacks are well-documented. See so-called "return
into libc" exploits, for example.
I'll list here just a few of the very popular processors/processor lines
which would allow such data/code separation in a sensible manner:
- Most of harvard-like architectures (so, a lot of RISC processors);
But not the POWER family, which is the most popular RISC processor
for general-purpose computing (thanks to Apple). The POWER MMU lacks
separate read and execute page-protection bits.
- The 68k processors, back to the 68000 (albeit a bit crude on this);
- The x86 series, back to the 286 (with the ability of marking memory
segments as executable or not);
But not pages, so this facility is useless for the dominant x86 OSes.
The merits of separate I&D have been debated endlessly in any number
of places. This is not the forum to bring them up again. Try
alt.folklore.computers or comp.arch. They're probably sick of it
too, but at least it's on-topic there.
But we're getting a bit off-topic. Sorry.
Entirely off-topic. The effects of Undefined Behavior are OT for
comp.lang.c. Regardless of the value of "a good understanding of the
underlying reality", not every topic related to programming belongs
here. Further, what you refer to as "underlying reality" is not the
same for all C implementations. Are you prepared to discuss how
every conforming implementation deals with Undefined Behavior caused
by overwriting an automatic variable?
--
Michael Wojcik mi************@microfocus.com
Even though there may be some misguided critics of what we're trying
to do, I think we're on the wrong path. -- Reagan This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Dan |
last post by:
Using XML::Simple in perl is
extreemly slow to parse big
XML files (can be up to 250M,
taking ~1h).
How can I increase my performance /
reduce my memory usage?
Is SAX the way forward?
|
by: Manuel Collado |
last post by:
I would like to write simple, yet well structured documents with a
really simple XML DTD (or schema). Either Docbook or SDocbook are
overkill for this simple case.
XHTML is simpler, but...
|
by: Michael B Allen |
last post by:
Hi,
I've tried to write the *simplest* memory allocator possible. I think it
would be useful in many cases such as allocating memory on stack as a
poor man's garbage collection perhaps.
I was...
|
by: KevinD |
last post by:
assumption: I am new to C and old to COBOL
I have been reading a lot (self teaching) but something is not sinking
in with respect to reading a simple file - one record at a time.
Using C, I am...
|
by: Rodrigo Ferreira |
last post by:
Anyone uses the simple button component from DevExpress?
| | |
by: abcd |
last post by:
I am trying to set up client machine and investigatging which .net
components are missing to run aspx page.
I have a simple aspx page which just has "hello world" printed....
When I request...
|
by: Sender |
last post by:
Yesterday there was a very long thread on this query. (You can search on
this by post by 'sender' with subject 'Simple Problem' post date Oct 7 time
1:43p)
And in the end the following code was...
|
by: Steven M. O'Neill |
last post by:
I have an xml structure like this:
<Meta name="fieldAttributes">
<MetaString name="name">SUB_PHONE</MetaString>
<MetaString name="value">999999999</MetaString>
</Meta>
<Meta...
|
by: Rick Muller |
last post by:
I'd like to use my webserver to distribute some simple python physics
apps. Ideally, I'd like to use some simple form to input a few pieces
of data, call a python program, and return some image...
|
by: kenobewan |
last post by:
Congratulations! You are one of the few who realise that over 80% of errors are simple and easy to fix. It is important to realise this as it can save a lot of time. Time that could be wasted making...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
