ccs-lab-2014-Spring/bugs.txt at master · kingFighter/ccs-lab-2014-Spring · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#
# [file:#lines]
# desc
#

[zookd.c:1612]
description goes here. for example, the 'buf' variable can be
overwritten by the 'msg' variable because ...

    <paste offending line(s) of code here>

[http.c:1512]
another description.

    <paste offending line(s) of code here>

# many more come here
[http.c:165]
The 'envvar' variable can be overwritten by function 'sprintf' because
'sprintf' is unsafe. 'envvar' is only 512 bytes, but the 'buf' is 8192
bytes.
    static char buf[8192];      /* static variables are not on the stack */
    char envvar[512];
    ....
    ....
    sprintf(envvar, "HTTP_%s", buf);
See exploit code 'exploit-1a.py'.
[http.c:255]
The 'pn' variable can be overwritten by function 'strcat'('name' variable) because
'strcat' is unsafe. and 'pn' is only 1024 bytes, but 'name' variable
can be larger than 1024 bytes.(See 'zookfs:.c:40')

void http_serve(int fd, const char *name)
    ...
    char pn[1024];
    strcat(pn, name);
    ...

'zookfs.c:40'
http_serve(sockfd, getenv("REQUEST_URI"));

See exploit code 'exploit-2b.py'.
[http.c:317]
The 'dst' variable can be overwritten by function 'strcpy'('dirname'
variable) beacuse 'strcpy' is unsafe. In function
'http_serve_directory' will call 'dir_join', 'dst' variable is only
1024 bytes, but the 'dirname' can be larger.

void dir_join(char *dst, const char *dirname, const char *filename) {
    ...
    strcpy(dst, dirname);
    ...

'http.c:331,333'
void http_serve_directory(int fd, const char *pn) {
...
char name[1024];
dir_join(name, pn, indices[i]);
...
dir_join(name, getenv("SCRIPT_NAME"), indices[i]);
...

See exploit code 'exploit-1b.py'.
[http.c:320]
The 'dst' variable can be overwritten by function 'strcat'('filename'
variable) beacuse 'strcat' is unsafe. In function
'http_serve_directory' will call 'dir_join', 'dst' variable is only
1024 bytes, though 'filename' is  among {"index.html", "index.php",
"index.cgi", NULL}", but after 'strcpy(dst, dirname)' the 'dst' can be
close to 1024 bytes, and then 'dist' will be out of bound after
calling 'strcat(dst, filename)'.

void dir_join(char *dst, const char *dirname, const char *filename) {
    strcpy(dst, dirname);
        ...
    strcat(dst, filename);

'http.c:331,333'
void http_serve_directory(int fd, const char *pn) {
...
char name[1024];
dir_join(name, pn, indices[i]);
...
dir_join(name, getenv("SCRIPT_NAME"), indices[i]);
...
See exploit code 'exploit1c.py'.
[http.c:421]
In function 'url_decode', the 'dst' variable can be overwritten by
'src' variable because 'dst' can be smaller than 'src' when other
places call 'url_decode'. For example, 'reqpath' variable is only 2048 bytes,
and 'value' variable is only 512 bytes, both 'sp1' and 'sp' variable
can be larger than that.

void url_decode(char *dst, const char *src)
        ...
        *dst = strtol(&hexbuf[0], 0, 16);
        ...
        dst++;
        ...

const char *http_request_line(int fd, char *reqpath, char *env, size_t *env_len)
    ...
    url_decode(reqpath, sp1);
    ...

const char *http_request_headers(int fd)
    ...
    char value[512];
    ...
    url_decode(value, sp);
    ...

'zookd.c':
static void process_client(int fd)
    ...
    char reqpath[2048];
    ...
    if ((errmsg = http_request_line(fd, reqpath, env, &env_len)))
    ...

See exploit code 'exploit-2a.py'


Stack canaries, named for their analogy to a canary in a coal mine,
are used to detect a stack buffer overflow before execution of
malicious code can occur. This method works by placing a small
integer, the value of which is randomly chosen at program start, in
memory just before the stack return pointer.

This technique can greatly increase the difficulty of exploiting a
stack buffer overflow. But it still cannot prevent the vulnerability.

And if we only use buffer overflows to corrupt the local variable in
stack. According to the 'Stack canaries' definition(the 'canaries' is
placed in memory before the stack return address), it won't help.

In sum, stack canaries is not enough but can increase the difficulty.