Fernando J. Pereda’s blag

August 24, 2008

Security Trivia IV

Filed under: blag — Tags: , — Fernando J. Pereda @ 2:02 pm

This one is easy and sweet. Your goal is to make this program crash and explain why that happened, good luck:

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
	if (argc != 4) {
		fprintf(stderr, "DIAF\n");
		return EXIT_FAILURE;
	}

	char c[3];
	unsigned i;
	for (i = 0; i < sizeof(c); i++)
		c[i] = atoi(argv[i + 1]);

	if (c[0] + c[1] + c[2] == 0) {
		fprintf(stderr, "No no\n");
		return EXIT_FAILURE;
	}

	c[1] += c[0] + c[2];
	printf("%d\n", c[0]/c[1]);

	return EXIT_SUCCESS;
}

Before spoling your own fun looking at the comments, try to do it yourself. Really, it is easy, and will make you understand C better.

— ferdy

June 1, 2008

Security trivia III

Filed under: blag — Tags: , — Fernando J. Pereda @ 6:03 pm

People seem to like this kind of stuff, so here it goes. Take a look at this code:

#define MAX(a, b) ((a) > (b) ? (a) : (b))

struct st *dst, *src;
int size /* = some number of bytes you can control so that size >= 0 */;

/* Some code that sets up src and dst to valid buffers.
 * Everything but the last structure of src fits into dst. */

memcpy(dst, src, MAX(0, size - sizeof(struct st)));

Again:

  • What’s wrong with this code?
  • What environment do you need to exploit it?
  • Given such an environment, how can you exploit it?
  • How would you fix the code?

Remember, someone might have solved it in the comments. That could spoil the fun. You have been warned.

— ferdy

May 26, 2008

Security trivia II

Filed under: blag — Tags: , — Fernando J. Pereda @ 6:25 pm

Suppose you have the following code:

char *start, *end, *ref;
/* Some code that process user input so that start and end
 * point to valid memory addresses and start + k < end.
 * Where k is some constant you can't control.
 * ref is made to point to some program-defined chunk,
 * but you can't control this one.
 */
int n = end - start;
if (memcmp(ref, start, n) != 0) {
    printf("Checksum mismatch. Access denied.\n");
    exit(EXIT_FAILURE);
}
printf("Checksum matches. Access granted.\n");

This one is probably easier than the first one, but anyway:

  • What’s wrong with this code?
  • What environment do you need to exploit it?
  • Given such an environment, how can you exploit it?
  • How would you fix the code?

If you’ve seen me ranting about this in #exherbo-dev, you are not allowed to answer :)

— ferdy

May 23, 2008

Security trivia

Filed under: blag — Tags: , — Fernando J. Pereda @ 2:37 pm

Apparently, this kind of issues are difficult to understand. Sometimes, you can pretend they don’t exist, but you want to get rid of them. Security is often about small mistakes here and there that lead to big holes when used together.

So:

  • What’s wrong with this code?
  • What environment do you need to exploit it?
  • Given such an environment, how can you exploit it?
  • How would you fix the code?
[...]
if(-l $statefile) {
        die("$statefile is a symbolic link, refusing to touch it.");
}                               
open (OUT, ">$statefile") or exit 4;
print OUT "$pos:$delivered\n";
[...]

A couple of days ago, I reported a similar issue (which I suspect it can be exploitable) and couldn’t get upstream to fix it (I can’t be bothered with a patch because I don’t use the software anyway). I’m not sure why they didn’t fix it, probably they don’t care about security, or they don’t understand the issue at hand.

I’ll post the answer in a couple of days or whenever someone gets it right.

— ferdy

May 22, 2008

Reading

Filed under: blag — Tags: , , — Fernando J. Pereda @ 1:29 am

Recently Read

  • Linux System Programming, Robert Love. This book disappointed me. I expected much deeper stuff and not only a mere listing of syscalls and some hints here and there.
  • Beyond Fear, Bruce Schneier. I liked it very much, really enlightening.

Currently Reading

Recommendation: Secure Coding in C and C++, Robert C. Seacord. Even if it is difficult to read at first, it is really enjoyable and interesting.

— ferdy

Blog at WordPress.com.