FRIHOST • FORUMS • SEARCH • FAQ • TOS • BLOGS • COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Buffer overflow





davidv
Quote:
Code:
/* begin failure.c */
/* compile with gcc -o failure failure.c */

#include <stdio.h>
#include <string.h>

int
main(void)
{
    int authenticated = 0;
    char buf[1000];

    gets(buf);
    if(strcmp("secret", buf) == 0) {
        authenticated = 1;
    }

    if(authenticated) {
        printf("You are now logged in!\n");
    }
    else {
        printf("Bad password. Try again.\n");
    }

    return 0;
}

/* end failure.c */


The code above is not something I wrote myself (I've yet to learn C). However, right now I am learning some basic security issues when programming, specifically buffer overflows. During one of my tutorials last week I asked a question.

How is it such that due to a buffer overflow the expression below will evaluates to true?

Code:
 if(strcmp("secret", buf) == 0) {


I only understand what I've been taught so far, that is. When there's a buffer overflow the buffer is either overwritten or adjacent buffers are overwritten. The response to my question was "crazy things happen when the buffer overflows" and then she wasn't able to go any further. I sighed and walked out the door without even as little as a "thanks, goodbye." Fortunately she was just a sub because the actual tutor was sick on that day. But yes, I turn to you, Frihost... how does that evaluate to true?
Peterssidan
The C standard doesn't specify what will happen on a buffer overflow. This is called undefined behaviour. When you have undefined behaviour anything can happen. A valid C implementation is allowed do anything when undefined behaviour occur: print text, format your hard drive, let your car explode etc.

Normally when buffer overflow happen you will read or write to memory outside the buffer. If the memory is not accessible you get an access violation and the program crashes. In your case buf is located on the stack so when gets overflow it will write to other parts of the stack. This might change variable values (and other things). It could be that it writes something to authenticated so that it gets another value than 0 and therefore "You are now logged in!\n" is printed.
davidv
Is it possible to perform a traceback on this? I'd really like to see what happens internally when shit hits the ceiling, so to speak.
Peterssidan
I don't know. Maybe you can use a debugger but I don't know if you will be able to see exactly what happens. Maybe you can try to print the address of authenticated and of buf and see if authenticated is located after the buf array. Doing so might change the behaviour so it could be useless.

Normally you should not need to know exactly what is going on behind the scenes. All you should care about is stay away from undefined behaviour. And the gets function is not very safe. My compiler even gives me a warning if I use it.
Quote:
warning: the `gets' function is dangerous and should not be used
Related topics
Why use IE?
The Unofficial Jokes Thread
Firefox 1.0.7 Released
Still Using Internet Explorer?? Why? It's just... stupid
WEP keeps disabling
Choosing a Distro
[tecg] Los 10 peores bugs de la historia...
rare ERROR
Old hardware needs OS [SOLVED]
most secure O.S
Hackerler‘ın Yararlandığı Açıklar!
PING!
Help needed with Javascript and overflow
Buffer zone around the page, how to remove?
Reply to topic    Frihost Forum Index -> Scripting -> Others

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.