Home
  Home
Home
Search
Articles
Page Tag-Cloud
  Software
Software Tag-Cloud
Submit Patch
Building from Source
Open Source Definition
  Popular Tags
C Plus Plus
Source Code
Legacy
Class
Console
  Members
Login
Web-Email
Notable Members
  Official
Our Company
Copyright Information
Software EULA
GPL EULA
LGPL Eula
Pre-Release EULA
Privacy Policy
  Support
Make Contact
 
 
Exploited antique code

In case you are not following, I’ll reiterate: This is old code so don't give me grief. How old is the code?? I’m not sure exactly, but I was in Jr. High at the time. So again, no jabbing at me for "crap code"! Good?

Ok, the main() function has been fudged to show the purpose and functionality of the vulnerable procedure: "ParseRequest(...)"

The idea was to search for different parameters that were being passed over from an anonymous TCP/IP connection and then parse off the parameter text which would always be terminated by a line feed character (or optional carriage return character).

Can you spot the vulnerabilities? This code makes many assumptions about the "perfectly trustworthy" and "completely bug free" remote peer. This is a prime example of bad code.

We have potential under-flows, overflows, and injection possibilities, potential out-of-bounds memory reading and writing, etc, etc... or to put it in layman's terms: this application would only have been "safe" if it were run on a machine with no networking capabilities period!

//-----------------------------------------------------------------------
char *ParseRequest(const char *sInput, char *sOutput)
{
 size_t iLen = strlen(sInput);
 size_t r = 0; //Read position.
 size_t w = 0; //Write position.
  
 //Skip the parameter marker.
 while(r == 0 || sInput[(r == 0 ? 1 : r) - 1] != ' ')
 {
  r++;
 }
  
 //Parse the parameter value.
 while(r < iLen && sInput[r] != '\r' && sInput[r] != '\n')
 {
  sOutput[w++] = sInput[r++];
 }
  
 sOutput[w] = 0; //NULL terminator.
  
 return sOutput;
}
  
//-----------------------------------------------------------------------
  
int main(int argc, char *argv[])
{
 char input[1024];
 char output[255];
  
 strcpy(input,
  "/P1 Param text 1\n"
  "/P2 Param text 2\n"
  "/P3 Param text 3\n"
  "/P4 Param text 4\n");
  
 for(size_t i = 0; i < strlen(input); i++)
 {
  if(input[i] == '/')
  {
   ParseRequest(input + i, output);
   printf("%s\n", output);
  }
 }
  
 return 0;
}
  
//-----------------------------------------------------------------------

  • Hints:
    • What would happen if the input wasn’t null nor carriage-return / line feed terminated?
    • What would happen if the input or any one of the parameter values were greater than 255 characters?
    • What would happen if the input contained no spaces between the parameter name (/P1) and its value (Param Text 1).
    • What if there were no spaces in the param text in conjunction with a missing space between the parameter name and its value?
The answer to all four questions? Hopefully a program crash! Otherwise malicious code could easily be injected for your happy application to execute - and that never leads to happy end-users.

Is this code snippet, product or advice warrantied against ill-effect and/or technical malaise? No. No it's not! Not expressed - Not implied - not at all.




Tags:
 Antique    C Plus Plus    Exploit    Hack    TCP/IP    Winsock  

Created by Josh Patterson on 2/8/2013, last modified by Josh Patterson on 2/8/2013

No comments currently exists for this page. Why don't you add one?
First Previous Next Last 

Login or signup to leave a comment.
 
Copyright © 2017 NetworkDLS.
All rights reserved.
 
Privacy Policy | Our Company | Contact