Information Security CS 526 Lecture 14 - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Information Security CS 526 Lecture 14

Description:

printf('%n', &x) will change the value of the variable x ... 32-bits or less, the arguments are both upcast to int, and the result is an int ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 13
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Information Security CS 526 Lecture 14


1
Information Security CS 526Lecture 14
  • Other Vulnerabilities

2
Format string problem
  • int func(char user)
  • fprintf( stdout, user)
  • Problem what if user sssssss ??
  • Most likely program will crash DoS.
  • If not, program will print memory contents.
    Privacy?
  • Full exploit using user n
  • Correct form
  • int func(char user)
  • fprintf( stdout, s, user)

3
Format string attacks (n)
  • printf(n, x) will change the value of the
    variable x
  • in other words, the parameter value on the stack
    is interpreted as a pointer to an integer value,
    and the place pointed by the pointer is
    overwritten

4
History
  • Danger discovered in June 2000.
  • Examples
  • wu-ftpd 2. remote root.
  • Linux rpc.statd remote root
  • IRIX telnetd remote root
  • BSD chpass local root

5
Vulnerable functions
  • Any function using a format string.
  • Printing
  • printf, fprintf, sprintf,
  • vprintf, vfprintf, vsprintf,
  • Logging
  • syslog, err, warn

6
Integer Overflow
  • Direct causes
  • Truncation
  • Integer casting
  • Example
  • const long MAX_LEN 20K
  • short len strlen(input)
  • if (len lt MAX_LEN)
  • // do something
  • How long does input needs to be to bypass the
    check?

7
Where Does Integer Overflow Matter?
  • Allocating spaces using calculation.
  • Calculating indexes into arrays
  • Checking whether an overflow could occur

8
How does casting work?
  • Signed int to Larger signed int
  • Signed int to Same-size unsigned int
  • Signed int to Larger unsigned int
  • Unsigned int to Larger unsigned int
  • Unsigned int to Same-size signed int
  • Unsigned int to Larger signed int
  • Downcast

Language, system dependent!
9
When casting occurs in C?
  • For binary operators , -, , /, , , , ,
  • if either operand is an unsigned long, both are
    cast to an unsigned long
  • in all other cases where both operands are
    32-bits or less, the arguments are both upcast to
    int, and the result is an int
  • For unary operators
  • changes type, e.g., ((unsigned short)0) is int
  • and -- does not change type

10
Another Example
  • bool IsValidAddition(unsigned short x,
  • unsigned short y)
  • if (xy lt x)
  • return false
  • return true

11
Yet Another Example
  • int ConcatBuffers(char buf1, char buf2, size_t
    len1, size_t len2)
  • char buf0xFF
  • if ((len1 len2) gt 0xFF) return -1
  • memcpy(buf, buf1, len1)
  • memcpy(buflen1, buf2, len2)
  • return 0

12
Coming Attractions
  • September 29
  • Project 1 description
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Information Security CS 526 Lecture 14" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!