Difference between revisions of "Dangerous Function"

From OWASP
Jump to: navigation, search
(Examples)
Line 17: Line 17:
  
 
==Examples ==
 
==Examples ==
 +
See this simple C program :
 +
 +
main()
 +
{
 +
        char  buffer[25];
 +
       
 +
        printf("\nEnter Text : ");
 +
        gets(buffer);
 +
}
 +
 +
it looks it is right , and yes it is  right program but it posses a sequrity problem.
 +
Lets see how ..
 +
 +
[running  1]
 +
Enter Text : Hello
 +
 +
the above program works fine .
 +
 +
but if we give this :
 +
 +
[running 2]
 +
Enter Text : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 +
 +
 +
Here the program may crash  , as the text entered in of length 59 , but the array size is 25 .
 +
as the "gets" function dosen't check for the length of array or entered text.
 +
 +
What happens when the above program runs
 +
 +
cmain() calls the main() .
 +
'''in assembly'''
 +
 +
_cmain proc far                  ; In C all function name begins with a "_"
 +
xx
 +
 +
xx
 +
 +
xx
 +
 +
call _main
 +
 +
xx
 +
 +
xx
 +
 +
_cmain endp
 +
 +
 +
_main proc
 +
 +
mov ebp,esp
 +
add ebp,19h ;''' 19h = 25 dec , *** thus it creates the buffer array in current stack frame  ***'''
 +
 +
lea eax,strEnterText  ; gets the address of the string "\nEnter Text : "
 +
 +
push eax                ;pushes this address to stack for printf function
 +
 +
call _printf        ; calls the printf function
 +
 +
; next the interresting part
 +
 +
push ebp        ; pushes the address of the buffer array
 +
 +
call _gets        ;calls the gets() ,
 +
 +
  ;The gets function stores the entered charecter from stdin to memory pointed by ebp
 +
 +
  ; if the number of charecter got from stdin is greater than the SIZE of the buffer
 +
 +
  ; the buffer overflow occurs.
 +
 +
xxx
 +
 +
xxx ; rest of the program
 +
_main endp
 +
 +
As all the return address of the functions are stored in stack , if "buffer" array is overflowed then the returned address of the functions are get OVERWRITTEN by the user inputed data.
 +
 +
In ordinary case the input text is generaly text , so it normally crashes and terminates or behaves incorrectly.
 +
 +
'''Lets see how we can exploit this program ..'''
 +
 +
 +
If we can some how know the bound of the array (size of the array) we can enter text as hex and give the text such a way when the array and stack overflows , then the returned address of the main function is overwritten to point to a code which is not intented to run , such as trojan code.
 +
 +
The len of the buffer is easy to know by trial and error .
 +
 +
 +
So u know how gets function can be exploited
 +
 +
'''You should never use such a function which extracts data from users without a array bound check.
 +
A better alternative is "fgets".'''
 +
 +
To get input from stdin use this
 +
 +
fgets(buffer,25,stdin);
  
 
==Related Threats==
 
==Related Threats==

Revision as of 03:06, 24 July 2006

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

Functions that cannot be used safely should never be used.

Description

Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account.

Examples

  • The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer.
  • The >> operator is unsafe to use when reading into a character buffer because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.

Examples

See this simple C program :

main() {

       char  buffer[25];
       
       printf("\nEnter Text : ");
       gets(buffer);

}

it looks it is right , and yes it is right program but it posses a sequrity problem. Lets see how ..

[running 1] Enter Text : Hello

the above program works fine .

but if we give this :

[running 2] Enter Text : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Here the program may crash , as the text entered in of length 59 , but the array size is 25 . as the "gets" function dosen't check for the length of array or entered text.

What happens when the above program runs

cmain() calls the main() . in assembly

_cmain proc far  ; In C all function name begins with a "_" xx

xx

xx

call _main

xx

xx

_cmain endp


_main proc

mov ebp,esp add ebp,19h ; 19h = 25 dec , *** thus it creates the buffer array in current stack frame ***

lea eax,strEnterText  ; gets the address of the string "\nEnter Text : "

push eax  ;pushes this address to stack for printf function

call _printf  ; calls the printf function

next the interresting part

push ebp  ; pushes the address of the buffer array

call _gets  ;calls the gets() ,

  ;The gets function stores the entered charecter from stdin to memory pointed by ebp 
  ; if the number of charecter got from stdin is greater than the SIZE of the buffer
  ; the buffer overflow occurs. 

xxx

xxx ; rest of the program _main endp

As all the return address of the functions are stored in stack , if "buffer" array is overflowed then the returned address of the functions are get OVERWRITTEN by the user inputed data.

In ordinary case the input text is generaly text , so it normally crashes and terminates or behaves incorrectly.

Lets see how we can exploit this program ..


If we can some how know the bound of the array (size of the array) we can enter text as hex and give the text such a way when the array and stack overflows , then the returned address of the main function is overwritten to point to a code which is not intented to run , such as trojan code.

The len of the buffer is easy to know by trial and error .


So u know how gets function can be exploited

You should never use such a function which extracts data from users without a array bound check. A better alternative is "fgets".

To get input from stdin use this

fgets(buffer,25,stdin);

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories