Single Byte Buffer Overflow

Printable View

02-07-2009
Azimuth

Single Byte Buffer Overflow

Hi all,

I have a piece of code I'm supposed to identify a security issue with

Code:

int copy(char *in) { char d[128]; if (strlen(in) > sizeof(d)) return -1; strcpy(d, in); return 0; }

I narrowed it down to the if statement condition. strlen does not take the NULL character into account, and hence, the if condition would fail if the length of the input string is exactly 128 (excluding NULL). This would lead to an off-by-one or single-byte buffer overflow.

According to http://www.vuxml.org/freebsd/8dd9722...c2514716c.html, this

Quote:

can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags.

Successful exploitation allows execution of arbitrary code.

Where can I find out more about this, i.e. how does overflowing a single byte lead to arbitrary code execution?
02-07-2009
vart

Quote:

Originally Posted by Azimuth

how does overflowing a single byte lead to arbitrary code execution?

If the byte is a part of the return address that was stored on stack before calling the function, then return statement will actually jump to some other address. And execute code located there and not in the calling function
02-07-2009
Azimuth

Correct me if I'm wrong, but isn't it usually the case that on x86 the frame pointer and passed function parameters would be located "above" (lower on the stack) the allocated buffer? So how is it possible to modify the return address in this case?
02-07-2009
Elysia

The return address is pushed onto the stack before a function call is made.
And when returning, it jumps back to that address.
Thus, it is possible to spoof it with a buffer overrun.
02-07-2009
anon

Doesn't strlen itself have the same problem? :) (If you don't control where the string comes from it could always overflow.)
02-07-2009
matsp

Quote:

Originally Posted by anon

Doesn't strlen itself have the same problem? :) (If you don't control where the string comes from it could always overflow.)

strlen() will not CHANGE any memory. If the string is not terminated, it will possibly crash, but it will not change what gets executed beyond that.

As stated above, the terminating zero will overwrite the 129th element of the 128 element array. What is located there depends on the compiler (and may change based on compiler settings for same compiler - e.g. a compiler flag may turn off "frame pointer" in some functions).

And of course, if the return address [or whatever is being overwritten] already contains zero at that location, nothing happens. In big-endian machines, this could well be the case if the code is in the lower 16MB of memory.

--
Mats