Difference between revisions of "Dangerous Function"

From OWASP
Jump to: navigation, search
(Examples)
m (Reverted edits by TrtrrOlcna (Talk) to last version by KirstenS)
 
(11 intermediate revisions by 4 users not shown)
Line 2: Line 2:
 
{{Template:Fortify}}
 
{{Template:Fortify}}
  
==Abstract==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
Functions that cannot be used safely should never be used.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
 
==Description==
 
==Description==
 +
Functions that cannot be used safely should never be used.
  
 
Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account.
 
Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account.
  
==Examples ==
+
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
 +
* C functions that don't check the size of the destination buffers, such as gets(), strcpy(), strcat(), printf()
  
 
* The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer.
 
* The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer.
Line 16: Line 22:
 
* The >> operator is unsafe to use when reading into a character buffer because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
 
* The >> operator is unsafe to use when reading into a character buffer because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
  
==Examples ==
+
===Example program ===
 
See this simple C program :
 
See this simple C program :
  
Line 27: Line 33:
 
}
 
}
  
it looks it is right , and yes it is  right program but it posses a sequrity problem.
+
It appears to be correct, but it posesses a security problem. If you enter a short piece of text such as "Hello", the above program works fine. But if the entered value is longer than the allocated buffer, such as the text "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", the program may crash due to a segfault, or otherwise behave inappropriately.
Lets see how ..
+
  
[running  1]
+
===What happens when the above program runs===
Enter Text : Hello
+
+
the above program works fine .
+
  
but if we give this :
+
cmain() calls the main() procedure.
  
[running 2]
+
'''In Assembly'''
Enter Text : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
<pre>
 +
_cmain proc far          /* In C, all function names begins with an underscore */
  
 +
xx
  
Here the program may crash  , as the text entered in of length 59 , but the array size is 25 .
+
call _main
as the "gets" function dosen't check for the length of array or entered text.
+
  
What happens when the above program runs
+
xx
  
cmain() calls the main() .
+
_cmain endp
'''in assembly'''
+
  
_cmain proc far                  ; In C all function name begins with a "_"
+
_main proc  
xx
+
  
xx
+
mov ebp, esp
 +
add ebp, 19h              /* 19h = 25 dec.  Creates buffer array in the stack frame */
 +
lea eax, strEnterText      /* Gets the address of the string "\nEnter Text : " */
 +
push eax                  /* pushes this address to stack for printf function */
  
xx
+
call _printf              /* calls the printf function */
  
call _main
 
  
xx
+
push ebp                  /* pushes the address of the buffer array */
  
xx
+
call _gets                /* calls gets()  */
  
_cmain endp
+
  /* The gets function stores the entered charecter from stdin to memory pointed by ebp  */
  
 +
  /*  if the number of charecter got from stdin is greater than the SIZE of the buffer */
 +
 +
  /* the buffer overflow occurs. */
  
_main proc
+
xxx
  
mov ebp,esp
+
_main endp
add ebp,19h ;''' 19h = 25 dec , *** thus it creates the buffer array in current stack frame  ***'''
+
</pre>
  
lea eax,strEnterText  ; gets the address of the string "\nEnter Text : "
+
As return addresses of all functions are stored on the stack, if the buffer array is overflowed, then the returned address of the functions may be overwritten by the user inputed data.
  
push eax                ;pushes this address to stack for printf function
 
  
call _printf        ; calls the printf function
+
===How this program can be exploited===
  
; next the interresting part
+
Once the bounds of the array are known, text can be entered so that the return address on the stack is overwritten to point to a
 +
different location in memory which the program is not supposed to access at that time, such as other malicious code.
  
push ebp        ; pushes the address of the buffer array
+
The length of the buffer could be easily discovered through trial-and-error.
  
call _gets        ;calls the gets() ,
+
You should never use a function which extracts data from the user without no bounds checking.
 +
A better alternative is "fgets".
  
  ;The gets function stores the entered charecter from stdin to memory pointed by ebp
+
To get input from stdin use this:
  
  ; if the number of charecter got from stdin is greater than the SIZE of the buffer
+
<pre>
 +
fgets(buffer,25,stdin);
 +
</pre>
  
  ; the buffer overflow occurs.
+
==Related [[Attacks]]==
  
xxx
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
xxx ; rest of the program
 
_main endp
 
  
As all the return address of the functions are stored in stack , if "buffer" array is overflowed then the returned address of the functions are get OVERWRITTEN by the user inputed data.
+
==Related [[Vulnerabilities]]==
  
In ordinary case the input text is generaly text , so it normally crashes and terminates or behaves incorrectly.
+
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
  
'''Lets see how we can exploit this program ..'''
 
  
 +
==Related [[Controls]]==
  
If we can some how know the bound of the array (size of the array) we can enter text as hex and give the text such a way when the array and stack overflows , then the returned address of the main function is overwritten to point to a code which is not intented to run , such as trojan code.
+
* [[Control 1]]
 +
* [[Control 2]]
  
The len of the buffer is easy to know by trial and error .
 
  
 +
==Related [[Technical Impacts]]==
  
So u know how gets function can be exploited
+
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
  
'''You should never use such a function which extracts data from users without a array bound check.
 
A better alternative is "fgets".'''
 
  
To get input from stdin use this
+
==References==
 +
TBD
 +
[[Category:FIXME|add links
  
fgets(buffer,25,stdin);
+
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
  
==Related Threats==
+
Availability Vulnerability
  
==Related Attacks==
+
Authorization Vulnerability
  
==Related Vulnerabilities==
+
Authentication Vulnerability
  
==Related Countermeasures==
+
Concurrency Vulnerability
  
==Categories==
+
Configuration Vulnerability
  
[[Category:Implementation]]
+
Cryptographic Vulnerability
  
[[Category:C]]
+
Encoding Vulnerability
  
[[Category:Use of Dangerous API]]
+
Error Handling Vulnerability
  
 +
Input Validation Vulnerability
 +
 +
Logging and Auditing Vulnerability
 +
 +
Session Management Vulnerability]]
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Implementation]]
 +
[[Category:C]]
 +
[[Category:Use of Dangerous API]]
 
[[Category:API Abuse]]
 
[[Category:API Abuse]]
 +
[[Category:Vulnerability]]

Latest revision as of 12:00, 26 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents

Description

Functions that cannot be used safely should never be used.

Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account.

Risk Factors

TBD

Examples

  • C functions that don't check the size of the destination buffers, such as gets(), strcpy(), strcat(), printf()
  • The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer.
  • The >> operator is unsafe to use when reading into a character buffer because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.

Example program

See this simple C program :

main() {

       char  buffer[25];
       
       printf("\nEnter Text : ");
       gets(buffer);

}

It appears to be correct, but it posesses a security problem. If you enter a short piece of text such as "Hello", the above program works fine. But if the entered value is longer than the allocated buffer, such as the text "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", the program may crash due to a segfault, or otherwise behave inappropriately.

What happens when the above program runs

cmain() calls the main() procedure.

In Assembly

_cmain proc far           /* In C, all function names begins with an underscore */

xx

call _main

xx

_cmain endp

_main proc 

mov ebp, esp
add ebp, 19h               /* 19h = 25 dec.  Creates buffer array in the stack frame */
lea eax, strEnterText      /* Gets the address of the string "\nEnter Text : " */
push eax                   /* pushes this address to stack for printf function */

call _printf               /* calls the printf function */


push ebp                   /* pushes the address of the buffer array */

call _gets                 /* calls gets()  */

   /* The gets function stores the entered charecter from stdin to memory pointed by ebp  */

   /*  if the number of charecter got from stdin is greater than the SIZE of the buffer */
 
   /* the buffer overflow occurs. */

xxx

_main endp

As return addresses of all functions are stored on the stack, if the buffer array is overflowed, then the returned address of the functions may be overwritten by the user inputed data.


How this program can be exploited

Once the bounds of the array are known, text can be entered so that the return address on the stack is overwritten to point to a different location in memory which the program is not supposed to access at that time, such as other malicious code.

The length of the buffer could be easily discovered through trial-and-error.

You should never use a function which extracts data from the user without no bounds checking. A better alternative is "fgets".

To get input from stdin use this:

fgets(buffer,25,stdin);

Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD