This post is for studying various vulnerable and broken code snippets from snoopysecurity's Broken-Vulnerable-Code-Snippets repository.

Problems #

Buffer Overflow: strcpy.c #

1
2
3

char str1[10];
char str2[]="abcdefghijklmn";
strcpy(str1,str2);

strcpy() has two arguments: a ptr destination and ptr source. str2 has 14 characters, whereas str has space allocated for 10 characters. This function does not have protections for when the destination buffer does not have enough space to allocate for the same size as the source buffer. As such, this would be a buffer overflow.

Buffer Overflow: bof1.c #

Code snippet.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

#include <stdio.h>
#include <string.h>

#define S 100
#define N 1000

int main(int argc, char *argv[]) {
  char out[S];
  char buf[N];
  char msg[] = "Welcome to the argument echoing program\n";
  int len = 0;
  buf[0] = '\0';
  printf(msg);
  while (argc) {
    sprintf(out, "argument %d is %s\n", argc-1, argv[argc-1]);
    argc--;
    strncat(buf,out,sizeof(buf)-len-1);
    len = strlen(buf);
  }
  printf("%s",buf);
  return 0;
}

sprintf() is a function that takes at least two arguments.

• destination: char arr where formatted strs are written
• format: str representing format of data to be written to destination char arr
• arg1 (optional): value which will be formatted and written to destination char arr
• arg2 (optional): value which will be formatted and written to destination char arr
• ...

Line 15 which includes a sprintf() call writes "argument %d is %s\n" to the char array out for every argc that this file is called with. The fourth argument in this function call, argv[argc-1] is vulnerable since the boundaries of out are not checked when using out.

References #

• https://github.com/snoopysecurity/Broken-Vulnerable-Code-Snippets - src of all code snippets
• https://linux.die.net/ - for Linux function manuals
• https://man7.org/linux/man-pages/index.html - for more Linux function manuals