by Josh Patterson
2. August 2010 12:12
In case you are not following, I’ll reiterate: This is old code so don’t give me grief. How old is the code?? I’m not sure exactly, but I was in Jr. High at the time. So again, no jabbing me for "crap code"!
Ok, the main() function has been fudged to show the purpose and functionality of the vulnerable procedure: "ParseRequest(...)"
The idea was to search for different parameters that were being passed over from an anonymous TCP/IP connection and then parse off the parameter text which would always be terminated by a line feed character (or optional carriage return character).
Can you spot the vulnerabilities? This code makes many assumptions about the "perfectly trustworthy" and "completely bug free" remote peer. This is a prime example of bad code.
We have potential underflows, overflows, and injection possibilities, potential out-of-bounds memory reading and writing, ect, ect... or to put it in layman's terms: this application would only have been "safe" if it were run on a machine with no networking capabilities period!
//-----------------------------------------------------------------------
char *ParseRequest(const char *sInput, char *sOutput)
{
size_t iLen = strlen(sInput);
size_t r = 0; //Read position.
size_t w = 0; //Write position.
//Skip the parameter marker.
while(r == 0 || sInput[(r == 0 ? 1 : r) - 1] != ' ')
{
r++;
}
//Parse the parameter value.
while(r < iLen && sInput[r] != '\r' && sInput[r] != '\n')
{
sOutput[w++] = sInput[r++];
}
sOutput[w] = 0; //NULL terminator.
return sOutput;
}
//-----------------------------------------------------------------------
int main(int argc, char *argv[])
{
char input[1024];
char output[255];
strcpy(input,
"/P1 Param text 1\n"
"/P2 Param text 2\n"
"/P3 Param text 3\n"
"/P4 Param text 4\n");
for(size_t i = 0; i < strlen(input); i++)
{
if(input[i] == '/')
{
ParseRequest(input + i, output);
printf("%s\n", output);
}
}
return 0;
}
//-----------------------------------------------------------------------
Hints:
- What would happen if the input wasn’t null nor carriage-return / line feed terminated?
- What would happen if the input or any one of the parameter values were greater than 255 characters?
- What would happen if the input contained no spaces between the parameter name (/P1) and its value (Param Text 1).
- What if there were no spaces in the param text in conjunction with a missing space between the parameter name and its value?
The answer to all four questions? Hopefully a program crash! Otherwise malicious code could easily be injected for your happy application to execute!
Subscribe