Spot the vulnerability challenges

Earlier this week, choc_, a friend of mine, started posting several small C programs to HVAOnline, and asking folks at that popular security forum to find, exploit, and fix the vulnerabilities in those programs.

I found those challenges are very interesting, and some of are quite difficult to solve if you don't understand how C stores, and interprets integer values. They remind me of the great code auditing book "The art of software security assessment" in which the authors dedicate a whole chapter on C language issues, esp. those occur when you use integers in the wrong way.

Here are some of the challenges. I hope you find them interesting.

Challenge 1
 int main(int argc, char **argv) {
if (argc != 3)
return 1;
unsigned short int x = strlen(argv[1]) + strlen(argv[2]);
char *buf = (char *)malloc(x);
strcpy(buf, argv[1]);
strcat(buf, argv[2]);
}

Challenge 2

 #include 
#include

int main(int argc, char **argv)
{
int x, y;
if (argc != 3)
return 0;
x = atoi(argv[1]);
y = atoi(argv[2]);
return y?x/y:0;
}

Challenge 3

 #include 
#include

int main(int argc, char **argv) {
if (argc != 2)
return 0;
safe_strcpy(argv[1], strlen(argv[1]));
}

void safe_strcpy(char* mybuffer, char mylen)
{
char maxlen = 63;
char buffer[64];

if(mylen < maxlen)
{
//it's safe now
strcpy(buffer, mybuffer);
}
}
Challenge 4
#include 
#include

int main(int argc, char **argv) {
if (argc != 2)
return 0;
int MAXC = 100;
char *buffer;
int len = atoi(argv[1]);
if (!(buffer = (char *) malloc(MAXC)))
return -1;
if (len <>= MAXC) {
free(buffer);
return -1;
}
if (read(0, buffer, len) <= 0) {
free(buffer);
return -1;
}
buffer[len] = '\0';
printf("you entered: %s\n", buffer);
return 0;


}
Challenge 5 (explain what happens)
 #include 
#include

#define MAX_LEN 0

int main(int argc, char **argv) {
unsigned int i = 1;

if (i < (MAX_LEN - 1)) {
printf("this can not happen, can it?\n");
}

return 0;
}

Comments

Anonymous said…
Hóa ra choc_ là bạn của anh ạ. Anh ấy học máy tính lâu chưa mà hiểu kỹ thế anh?