SC3010

Computer Security

Tutorial 2: Memory Safety Vulnerabilities

Tianwei Zhang
Q1. Circle the correct answers in the
following questions
1. Which statement is false about the format string vulnerability?

A. Attacker can abuse the format string “%d” to cause confidentiality violation.
B. Attacker can abuse the format string “%i” to cause integrity violation.
C. Attacker can abuse the format string “%s” to cause availability violation.
D. Attacker can abuse the format string “%x” to cause confidentiality violation

2
Q1. Circle the correct answers in the
following questions
2. Which statements are true about Cross-Site Scripting (XSS) attack?
(i) XSS can target static web applications without users’ input.
(ii) When XSS is exploited, the malicious commands are executed on the victim’s local
computer, instead of the web server.
(iii) In the stored XSS attack, the attacker does not need to connect to the victim
computer.
(iv) In the reflected XSS attack, the malicious command can exist in the web server for
a long time.

A. (i) and (iii)

B. (i) and (iv)
C. (ii) and (iii)
D. (ii) and (iv)

3
Q1. Circle the correct answers in the
following questions
3. In a C program, let an unsigned int variable x = UINT_MAX. What will be the result
when we calculate x ++?

A. 0
B. UINT_MAX
C. INT_MAX
D. INT_MIN

4
Q2. Answer the following questions
1) What is the root cause of format string vulnerability? What are the
possible consequences?

The number of arguments does not match the number of escape sequences in the
format string.

The possible consequences include:

 Leak unauthorized information from the stack
 Crash the program
 Modify the data in the stack, or hijack the control flow.

5
Q2. Answer the following questions
2) How to prevent integer overflow vulnerabilities?

Check the boundary of integers carefully

 Check the sign of integers.
 For arithmetic operations, check the boundary of each operand.
 Try to convert the integers to the type with larger ranges (e.g., big number)

6
Q2. Answer the following questions
3) What is the scripting vulnerability?

The scripting commands are built from predefined code fragments and user input.
Then the script is passed to the system for execution

An attacker can hide additional commands in the user input. So the system will
execute the malicious command without any awareness.

7
Q3. Program Analysis
Consider the following fragment of a C program. The program has a vulnerability that
would allow an attacker to cause the program to disclose the content of the variable
“secret” at runtime. We assume that the attacker has no access to the exact
implementation of the ‘get_secret()’ function so the attack has to work regardless of
how the function ‘get_secret()’ is implemented.

(a) Explain how the attack mentioned above int main(int argc, char* argv[]) {
int uid1 = x12345;
works.You do not need to produce the exact int secret = get_secret();
input to the program that would trigger the int uid2 = x56789;
attack. It is sufficient to explain the strategy char str[256];
of the attack. Explain why the attack works.
if (argc < 2)
return 1;
(b) The vulnerability above can be fixed by
modifying just one statement in the program strncpy(str, argv[1], 255);
str[255] = ‘\0’;
without changing its functionality. Show which printf(“Welcome”);
statement you should modify and how you printf(str);
would modify it to fix the vulnerability. Show
the C code of the proposed solution return 0;
}
8
Solution
(a) Format string vulnerability
argv[1] can contain malicious format specifier
when copied to str. After printf(str),
secret on the stack can be leaked.
printf(“%08x %08x %08x %08x %08x”)

int main(int argc, char* argv[]) {

(b) Fix the vulnerabilities: change the format of
int uid1 = x12345;
the printf function： int secret = get_secret();
printf(“%s\n”, str); int uid2 = x56789;
char str[256];

uid1 if (argc < 2)

return 1;
secret
uid2 strncpy(str, argv[1], 255);
str[255] = ‘\0’;
str printf(“Welcome”);
Format string printf(str);

return 0;
}
9
Q4. Program Analysis
You are developing a web service, which accepts the email title title and body body
from users, and forwards them to fake-addr@ntu.edu.sg. This is achieved by the
following program.

Identify the security problems in this piece of program

void send_mail(char* body, char* title) {

FILE* mail_stdin;
char buf[512];
sprintf(buf, "mail -s \“Subject: %s\" fake-addr@ntu.edu.sg", title);

mail_stdin = popen(buf, "w");

fprintf(mail_stdin, body);
pclose(mail_stdin);
}

10
Solution
1. Buffer Overflow
 When the size of title is larger than 471

void send_mail(char* body, char* title) {

FILE* mail_stdin;
char buf[512];
sprintf(buf, "mail -s \“Subject: %s\" fake-addr@ntu.edu.sg", title);

mail_stdin = popen(buf, "w");

fprintf(mail_stdin, body);
pclose(mail_stdin);
}

11
Solution
2. Format string vulnerability
 The string body can contain malicious format specifiers to modify or view
the stack

void send_mail(char* body, char* title) {

FILE* mail_stdin;
char buf[512];
sprintf(buf, "mail -s \“Subject: %s\" fake-addr@ntu.edu.sg", title);

mail_stdin = popen(buf, "w");

fprintf(mail_stdin, body);
pclose(mail_stdin);
}

12
Solution
3. Scripting vulnerability
 title can contain malicious command:
title = empty” foo@bar.com; rm –rf /;
buf = mail –s “Subject: empty” foo@bar.com; rm –rf /; ” fake-addr@ntu.edu.sg
 All the files on the server will be removed.

void send_mail(char* body, char* title) {

FILE* mail_stdin;
char buf[512];
sprintf(buf, "mail -s \“Subject: %s\" fake-addr@ntu.edu.sg", title);

mail_stdin = popen(buf, "w");

fprintf(mail_stdin, body);
pclose(mail_stdin);
}

13
Q4. Program Analysis
The following program implements a function in a network socket: get_two_vars. It
receives two packets, and concatenates the data into a buffer. Use an example to show
this program has integer overflow vulnerability. Note the first integer in the received
buffer from ‘recv’ denotes the size of the buffer.
int get_two_vars(int sock, char *out, int len){
char buf1[512], buf2[512];
int size1, size2;
int size;

if(recv(sock, buf1, sizeof(buf1), 0) < 0)

return -1;
if(recv(sock, buf2, sizeof(buf2), 0) < 0)
return -1;

memcpy(&size1, buf1, sizeof(int));

memcpy(&size2, buf2, sizeof(int));
size = size1 + size2;

if(size > len)

return -1;

memcpy(out, buf1, size1);

memcpy(out + size1, buf2, size2);

return size;
}
14
Solution
It is possible that size1, size2 are very big, but their sum is smaller than len.
 size1 = 0x7fffffff
 size2 = 0x7fffffff
 (0x7fffffff + 0x7fffffff = 0xfffffffe (-2)).
int get_two_vars(int sock, char *out, int len){
char buf1[512], buf2[512];
int size1, size2;
int size;

if(recv(sock, buf1, sizeof(buf1), 0) < 0)

return -1;
if(recv(sock, buf2, sizeof(buf2), 0) < 0)
return -1;

memcpy(&size1, buf1, sizeof(int));

memcpy(&size2, buf2, sizeof(int));
size = size1 + size2; integer overflow
if(size > len)
return -1;

memcpy(out, buf1, size1);

buffer overflow
memcpy(out + size1, buf2, size2);

return size;
15 }