Family name: Chaparro Gonzalez First name: Diego E-mail: dchaparro@acm.org 2002: Homework 3 : Software security ---------------------------------------------------------- 1.- Terms and concepts =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= a) == · Input validation: Is the process of making sure that the input isn't bad or malicious input, programs must ensure that all inputs are controlled.[1] · Format string vulnerability: A programs must define how the output of a command will be formatted, because if an untrusted source can decide what format strings will be used in a formatting command (e.g. print), this command can overwrite arbitrary memory locations just like a buffer overflow attack.[1] · Buffer overflow: A buffer can only contain a limited amount of data, when too much data is input to the buffer, it can overflow, overwriting other parts of memory and allowing new code to be inserted and executed.[1] · Race condition: Race conditions happen when more than one process/program are competing for the same resource. Because process/program can interrupt each other at arbitrary moments in time, data can be corrupted or misinterpreted.[1] b) == Both have in common that parts of memory can be overwritten, inserting malicious code, and this new code can be executed later by the program.[2] 2.- Example =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= a) == The program uses the function strcpy, and this function does not check bounds, and it may be dangerous because the bound of the variable "uname" can be exceeded and some part of the memory can be overwritten. And the strcpy function is used with an environment variable, and this is even more dangerous because the calling program can set the environment variables to arbitrary values, and these values can be a potentially dangerous environment variable.[1] b) == The most important risk is that the program can overwrite an arbitrary part of the memory, and it can take control of the instruction pointer of the process, and it is dangerous because the process has more priviledges than the attacker has. After that, the attacker can execute malicious code with the suid bit.[2] c) == One possibility is to check the lenght of the environment variable "USER" and then do the strcpy. Or better is always use the function strlcpy instead strcpy, because this function takes the full size of the destination buffer as a parameter, and the bounds never will be exceeded.[1] 3.- Another example =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= a) == The security hole in the script is that the script is using a hidden field from the form, and this field is being used in a exec instruction, which is invoking a shell. It's dangerous because the hidden field can be modified by an attacker and he can put malicious code in this variable to be executed later by the shell. [3] b) == An attacker needs to get the source code of the html page, in which he can see the hidden field. Then he has to modify the source code of the html page and he has to put the code that he wants to execute in the hidden variable, for example he can change the hidden field with this[3]: ^^^^^^^^^^^^ And then he has to send the form to the server in order to execute the perl program with the arguments that he has sent to the server. Then the server, at the end of the perl program, it will execute next: /usr/lib/sendmail -t email@foo.bar; program_name;