vulnerability - Some vulnerable projects in C or C++ for a lecture? - Information Security Stack Exchange
security - Find the vulnerability in the C program - Stack Overflow
Security vulnerabilities in fairly simple c code - Stack Overflow
Buffer Overflow Vulnerability C Code
Videos
Open Security Training has some great resources to teach developers about secure code practices including a virtual machine with compilers and vulnerable code samples
Also look at NIST's SAMATE TEST Suite for C and C++ vulnerable code, For e.g. C test suite contains good examples of Format String, Buffer overflow vulnerabilities in C.
You can find vulnerable versions of open source software like Wireshark on SAMATE as well. You might also want to look at exploit-db.com once your students are comfortable with simple vulnerabilities.
Finding security issues in Wireshark, VLC or any media libraries can be a great exercise for students and also improves security of open source projects.
DevIL is an image library with quite a lot of stack overflows in it.
count_digits incorrectly returns zero for zero. The correct result is one. A name of 251 characters with a salary of zero will require 257 characters (251 for name, 1 for salary, 5 for color, space, dollar sign, new-line, and null), but len will be incorrectly computed as 256, and len > sizeof(buffer) will not be triggered, so the code will overflow buffer.
(Another problem is strlen has undefined behavior when name is not null-terminated, but the context of name is not clear from the problem statement.)
This is not an answer, but an example of what the code potentially should have been to avoid the buffer overflow described by Erik Postpischil.
The count_digits function is wrong (in case of 0), but also unnecessary. It is possible to limit the output to buffer using snprintf:
void add_record(const char* name, unsigned int salary)
{
char buffer[256];
int len;
len = snprintf(buffer, sizeof buffer, "%s: $%u\n", name, salary);
if (len >= sizeof(buffer)) {
printf("Too long string");
exit(1);
}
fputs(buffer, global_file_handle);
}
Note that if len is exactly equal to sizeof buffer, this will mean that the resulting string was already truncated. In fact, len + 1 is the size that buffer should have been to prevent truncation.
Create a large file such that reading row and cols are both negatives. rasterBytes = pixBytes * rows * cols is positive so everything will be fine till p = img->raster;. But at this point you have two infinite loops, and the program may overwrite the heap.
Another attack is to set up row and cols such that they have different sign. You can choose either value to be -1, while the other is large enough to read the data you want. The allocation
img->raster = (void*)malloc(rasterBytes);
will fail, which lead img->raster to point to NULL. Which means
fread(p, pixBytes, 1, fp) < 1
will try to read the content of the file to kernel memory. If this code is executed in kernel mode, depending of the system (let say old unix which doesn use memory segment), then you will overwrite the content of the kernel memory with the content of the file. A kernel which doesn use memory segment rely not on segmentation faults but on page faults (a virtual address which doesnt have any real page assigned to it). The issue is that there are virtual memory designs such that the first real pages are directly assigned to the kernel pages. Ie kernel virtual address 0x0 is correspond to the real memory at 0x0 and is perfectly valid (inside the kernel).
EDIT: In both of those cases, the goal of the attacker is to inject the content of the input file (which is totally under his control) in a region of memory he should not have access to, while not being able to modify the function read_ppm().
There is also the fact that this allocation is not checked for success. Could result in a DoS.
img->raster = (void*)malloc(rasterBytes);
Hi folks,
I have this c code:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int ssp(char * str)
{
char buffer[100];
strcpy(buffer,str);
return 1;
}
int main(int argc, char **argv)
{
char str[400];
FILE * afile;
afile = fopen("afile", "r");
fread(str, sizeof(char), 400, afile);
ssp(str);
printf("Returned Properly\n");
return 1;
}The program provided reads the contents of a file called `"afile"` into a character array called `str`, which can hold up to 400 characters. It then calls the `ssp` function and passes `str` as an argument.
The `ssp` function copies the contents of the `str` character array into a local character array called buffer. The `strcpy` function used to copy the string data does not perform any bounds checking, which can lead to buffer overflow vulnerabilities if the input string is longer than the buffer size.
However, the lack of bounds checking in the `strcpy` function in the `ssp` function can potentially lead to buffer overflow vulnerabilities if used in a larger program or in an environment with untrusted input data.
Could anyone please assist with a shellcode at the end of "afile" and then store the shellcode on the stack to run? Please...