Thread: Single Byte Buffer Overflow

  1. 02-07-2009 #1
    Azimuth
    Azimuth is offline
    Registered User
    Join Date
    Jun 2004
    Posts
    9

    Single Byte Buffer Overflow

    Hi all,

    I have a piece of code I'm supposed to identify a security issue with
    Code:
    int copy(char *in)
{
    char d[128];
    if (strlen(in) > sizeof(d))
        return -1;
    strcpy(d, in);
    return 0;
}
    I narrowed it down to the if statement condition. strlen does not take the NULL character into account, and hence, the if condition would fail if the length of the input string is exactly 128 (excluding NULL). This would lead to an off-by-one or single-byte buffer overflow.

    According to http://www.vuxml.org/freebsd/8dd9722...c2514716c.html, this
    can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags.

    Successful exploitation allows execution of arbitrary code.
    Where can I find out more about this, i.e. how does overflowing a single byte lead to arbitrary code execution?
  2. 02-07-2009 #2
    vart
    vart is offline
    Hurry Slowly vart's Avatar
    Join Date
    Oct 2006
    Location
    Rishon LeZion, Israel
    Posts
    6,788
    Quote Originally Posted by Azimuth View Post
    how does overflowing a single byte lead to arbitrary code execution?
    If the byte is a part of the return address that was stored on stack before calling the function, then return statement will actually jump to some other address. And execute code located there and not in the calling function
    All problems in computer science can be solved by another level of indirection,
    except for the problem of too many layers of indirection.
    – David J. Wheeler
  3. 02-07-2009 #3
    Azimuth
    Azimuth is offline
    Registered User
    Join Date
    Jun 2004
    Posts
    9
    Correct me if I'm wrong, but isn't it usually the case that on x86 the frame pointer and passed function parameters would be located "above" (lower on the stack) the allocated buffer? So how is it possible to modify the return address in this case?
  4. 02-07-2009 #4
    Elysia
    Elysia is offline
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    The return address is pushed onto the stack before a function call is made.
    And when returning, it jumps back to that address.
    Thus, it is possible to spoof it with a buffer overrun.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.
  5. 02-07-2009 #5
    anon
    anon is offline
    The larch
    Join Date
    May 2006
    Posts
    3,573
    Doesn't strlen itself have the same problem? (If you don't control where the string comes from it could always overflow.)
    I might be wrong.

    Thank you, anon. You sure know how to recognize different types of trees from quite a long way away.
    Quoted more than 1000 times (I hope).
  6. 02-07-2009 #6
    matsp
    matsp is offline
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by anon View Post
    Doesn't strlen itself have the same problem? (If you don't control where the string comes from it could always overflow.)
    strlen() will not CHANGE any memory. If the string is not terminated, it will possibly crash, but it will not change what gets executed beyond that.

    As stated above, the terminating zero will overwrite the 129th element of the 128 element array. What is located there depends on the compiler (and may change based on compiler settings for same compiler - e.g. a compiler flag may turn off "frame pointer" in some functions).

    And of course, if the return address [or whatever is being overwritten] already contains zero at that location, nothing happens. In big-endian machines, this could well be the case if the code is in the lower 16MB of memory.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.
« Previous Thread | Next Thread »
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Inserting a swf file in a windows application
    By face_master in forum Windows Programming
    Replies: 12
    Last Post: 05-03-2009, 11:29 AM
  2. send and receive byte does not match
    By saipkjai in forum Networking/Device Communication
    Replies: 1
    Last Post: 02-09-2008, 01:09 AM
  3. About aes
    By gumit in forum C Programming
    Replies: 13
    Last Post: 10-24-2006, 03:42 PM
  4. How to avoid buffer overflow at input?
    By netstar in forum C++ Programming
    Replies: 4
    Last Post: 02-13-2005, 01:58 AM
  5. Tetris Questions
    By KneeGrow in forum Game Programming
    Replies: 19
    Last Post: 10-28-2003, 11:12 PM