Spot the vulnerability challenges
Earlier this week, choc_, a friend of mine, started posting several small C programs to HVAOnline, and asking folks at that popular security forum to find, exploit, and fix the vulnerabilities in those programs.
I found those challenges are very interesting, and some of are quite difficult to solve if you don't understand how C stores, and interprets integer values. They remind me of the great code auditing book "The art of software security assessment" in which the authors dedicate a whole chapter on C language issues, esp. those occur when you use integers in the wrong way.
Here are some of the challenges. I hope you find them interesting.
Challenge 1
I found those challenges are very interesting, and some of are quite difficult to solve if you don't understand how C stores, and interprets integer values. They remind me of the great code auditing book "The art of software security assessment" in which the authors dedicate a whole chapter on C language issues, esp. those occur when you use integers in the wrong way.
Here are some of the challenges. I hope you find them interesting.
Challenge 1
int main(int argc, char **argv) {
if (argc != 3)
return 1;
unsigned short int x = strlen(argv[1]) + strlen(argv[2]);
char *buf = (char *)malloc(x);
strcpy(buf, argv[1]);
strcat(buf, argv[2]);
}
Challenge 2
#include
#include
int main(int argc, char **argv)
{
int x, y;
if (argc != 3)
return 0;
x = atoi(argv[1]);
y = atoi(argv[2]);
return y?x/y:0;
}
Challenge 3
#include
#include
int main(int argc, char **argv) {
if (argc != 2)
return 0;
safe_strcpy(argv[1], strlen(argv[1]));
}
void safe_strcpy(char* mybuffer, char mylen)
{
char maxlen = 63;
char buffer[64];
if(mylen < maxlen)
{
//it's safe now
strcpy(buffer, mybuffer);
}
}
Challenge 4
#include
#include
int main(int argc, char **argv) {
if (argc != 2)
return 0;
int MAXC = 100;
char *buffer;
int len = atoi(argv[1]);
if (!(buffer = (char *) malloc(MAXC)))
return -1;
if (len <>= MAXC) {
free(buffer);
return -1;
}
if (read(0, buffer, len) <= 0) {
free(buffer);
return -1;
}
buffer[len] = '\0';
printf("you entered: %s\n", buffer);
return 0;
}
Challenge 5 (explain what happens)
#include
#include
#define MAX_LEN 0
int main(int argc, char **argv) {
unsigned int i = 1;
if (i < (MAX_LEN - 1)) {
printf("this can not happen, can it?\n");
}
return 0;
}
Comments