Tyler Littlefield wrote:
> I'm curious here.
> I've heard about exploits from struct loading, not checking buffers.
> Say the struct looked something like this:
> typedef struct
> {
> char uflag;
> int length;
> } header;
> so, using what you told us about pack:
> The size of that structure will be 64 bits, or 8 bytes.
> Which means that from byte 2 to byte 4, there is padding.
> Now, if the exploiter decided to fill in those three bytes, how is that going
> to cause problems for the programmer? If the programmer reads four bytes,
> knowing that the struct is padded, trims off the first byte and continues
> with life, the padding will simply be ignored.
> Exploits are extremely common, but people seem worried about talking about
> them.
> I'd like to learn about them, and preventative measures so I don't run
> through life patching up code, any ideas there?
>
>
> Thanks,
> Tyler Littlefield
> http://tysdomain.com
typedef struct
{
char uflag;
int length;
} header;
Is somewhat of an insufficient example. But here is how someone might
do something malicious. Let's assume you don't check the value loaded
into 'length' for validity and length is the size of a buffer. Someone
could set that to -1. Now, let's say you do this:
buffer = malloc(header.length);
fread(...buffer...);
Start accessing data...
if (buffer[0]) ...
Application crash.
fread() is probably fairly smart and will see that 'buffer' is NULL
(assuming the OS hasn't allocated RAM) and just return an error. Code
gets written this way because the programmer assumes that no one is
intentionally tampering with values in the data file - i.e. the user
loading the file followed some "standard" to create it or the
application created the data file (e.g. proprietary format). Various
checks could have been performed along the entire route:
if (header.length < 0) error
if (buffer == NULL) error
if (fread() failed to read the correct number of bytes) error
Getting code to execute as a result of loading a file requires a bit
more effort - and typically involves a buffer overflow. It also
involves not checking error conditions and making assumptions.
If you read a large struct in all at once, the tendency is to NOT check
the values that were loaded.
--
Thomas Hruska
CubicleSoft President
Ph: 517-803-4197
*NEW* MyTaskFocus 1.1
Get on task. Stay on task.
http://www.CubicleSoft.com/MyTaskFocus/
