All geek questions in one place

Heap Overflow Attack

I am studying heap overflow attacks, and my tutorial provides the following vulnerable C code:

/* record type to allocate on heap */ typedef struct chunk { char inp[64]; /* vulnerable input buffer */ void (*process)(char *); /* pointer to function to process inp */ } chunk_t; void showlen(char *buf) { int len; len = strlen(buf); printf("buffer5 read %d chars\n", len); } int main(int argc, char *argv[]) { chunk_t *next; setbuf(stdin, NULL); next = malloc(sizeof(chunk_t)); next->process = showlen; printf("Enter value: "); gets(next->inp); next->process(next->inp); printf("buffer5 done\n"); }

However, the tutorial does not explain how to fix this vulnerability. If anyone can explain the vulnerability and the way (s) to fix it would be great. (Part of the problem is that I come from Java, not from C)

+6
source share
4 answers

The problem is that gets() will continue to read into the buffer until it reads a new line or reaches EOF. He does not know the size of the buffer, so he does not know that he should stop when he reaches his limit. If the string has a length of 64 bytes or more, this will go beyond the buffer and overwrite the process . If the user entering the input knows this, he can enter only the correct characters at position 64 to replace the function pointer with a pointer to another function that he wants to make instead of calling the program.

The fix is ​​to use a function other than gets() , so you can specify a limit on the amount of input. Instead

 gets(next->inp);

you can use:

 fgets(next->inp, sizeof(next->inp), stdin);

The second argument to fgets() tells it to write no more than 64 bytes in next->inp . Therefore, it will read no more than 63 bytes from stdin (it needs to allow bytes for the null string delimiter).

+5
source

The code uses gets , which is notorious for its potential security problem: there is no way to specify the length of the buffer that you pass to it, it will continue to read from stdin until it encounters \n or EOF . Therefore, it can overflow your buffer and write to memory outside it, and then bad things will happen - it can crash, it can continue to work, it can start playing porn.

To fix this, you should use fgets .

+5
source

Now you can fill in more than 64 bytes by setting the address for process . This way you can insert any address you wish. The address can be a pointer to any function.

To fix a simple one, make sure that only 63 bytes are read into the inp array (one for zero) - use fgets

+1
source

The get function does not limit the amount of text coming from stdin . If there are more than 63 characters from stdin , an overflow will occur. Gets discards the LF char, which will be the [Enter] key, but adds char to the end, so the limit is 63 characters.

If the inp value is filled with 64 non-zero characters, because it can be directly accessed, the showlen function will cause an access violation because strlen will look for a null-char above inp to determine its size.

Using fgets would be a good solution for the first problem, but it would also add an LF char and a null value, so the new limit of readable text would be 62.

Secondly, just take care of what is written in inp .

0
source

Source: https://habr.com/ru/post/987598/

More articles:


All Articles