Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Locate Buffer Overflow Vulnerability in C Code

  • 09-08-2018 01:20PM
    #1
    Dubba
    Registered Users, Registered Users 2 Posts: 895 ✭✭✭


    I'm looking at a past paper for a 4th-year module called Software Security, where there's a question that asks: 'Where is the buffer overflow in the following code?'

    int *table = NULL; // table is a global variable

int insert_in_table(int pos, int value) {
	// Allocate a table size of 100 and insert value
	// into position pos in the table

   if(!table) { 
     table = (int*)malloc(sizeof(int) * 100);
   }
   if(pos > 99) {
     return -1;
   }
   table[pos] = value;
   return 0;
   }

    From my reading, it isn't obvious where the vulnerable code is located. Most examples I've seen are usages of unsafe library functions, such as strcpy, that don't use bounds checking, e.g:
    int main( char *argc, char *argv[] ) {
char buffer[500];
[B]strcpy[/B]( buffer, argv[1] );
return 0;
}

    I think this line might be the vulnerable code: 
    table = (int*)malloc(sizeof(int) * 100);
    Where sizeof(int) is the number of bytes needed to represent an integer in memory, then malloc() allocates in memory the size of this parameter and returns a pointer to this memory address. Finally, typecast to an integer with (int*). reference
    Perhaps an attacker, using gdb, could locate the memory address returned, then enter some value to overflow past 100, to access the return address?

    Just to note, my understanding of the fundamentals in C is quite limited because the course I took in college up to 4th year taught no C modules. Any help with this would be appreciated, thanks.


Comments

  • #2
    dazberry
    Registered Users, Registered Users 2 Posts: 2,152 ✭✭✭dazberry 


    if(pos > 99) {
     return -1;
   }
table[pos] = value;

    Pos could also be a minus number...


  • #3
    Dubba
    Registered Users, Registered Users 2 Posts: 895 ✭✭✭Dubba


    Thanks dazberry, I completely missed that. I passed in a negative number with the following code:
    main() {
   insert_in_table(-3, 1);
   return 0;
}

    ... and got a Segmentation fault. So, we have an invalid memory access, that could lead to a buffer overflow. Correct me if I'm wrong, thanks.


  • #4
    14ned
    Registered Users, Registered Users 2 Posts: 768 ✭✭✭14ned


    Dubba wrote: »
    I'm looking at a past paper for a 4th-year module called Software Security, where there's a question that asks: 'Where is the buffer overflow in the following code?'

    That code is unrealistic. It isn't idiomatic C. Perhaps they were making it easy for you? Either way, it's not a good test. Buffer overflows in real world code tend to be non-obvious.

    Anyway, malloc can also fail to allocate, in which case it returns null. One then overflows the buffer.

    There is a potential overflow in the malloc() parameter where it'll wrap past INT_MAX because the bounds check occurs after the malloc. You've already been told about the missing negative bounds check.

    For extra brownie points, the memory returned by malloc may only be allocated on first write. So, the malloc would succeed, but the write into it might trigger a SIGBUS due to exhaustion of swap space etc.

    And finally the code is racy. There is no guard on the modification of the global variable. Two concurrent executions could allocate two malloc blocks and who knows where your write is placed.

    All these things can be exploited by an attacker to subvert your code. This is why nobody writes that kind of code any more, they use standard library and language facilities which abstract away that sort of low level easy to get wrong stuff.

    Niall


Advertisement