Link to this headingC & C++

Link to this headingModern C++

New Use after free vulns

Link to this headingStrings

Link to this headingStringcmp

Using strncmp() instead of memcmp() to compare the SHA hash

  • strncmp will return when a null byte is reached. If the comparison is good up to the null byte then it is true. If the first byte was null, no comparison would be done and the check would pass.

Test in C:

/* strncmp example */ #include <stdio.h> #include <string.h> int main () { char str1[12] = "\x99\x00"; char str2[21] = "\x99\x88\x00\xAA\xBB\xCC\xDD\xEE\xFF"; printf("strlen str1: %d", strlen(str1)); //strlen str1: 9 printf("strlen str2: %d", strlen(str2)); //strlen str2: 9 int ret = strncmp(str2,str1,21); printf("strncmp %d\n", ret); //strncmp 0 }

Link to this headingOthers

Unsafe string manipulation functions:

  • strcpy - No bounds checking, can cause Buffer Overflows
  • strcat - No bounds checking when concatenating strings
  • strncpy - May not null-terminate, can leave uninitialized data
  • strncat - Off-by-one errors common with length parameter
  • sprintf - No bounds checking on output buffer
  • vsprintf - Variable argument version of sprintf with same issues

Memory functions:

  • memcpy - No overlap checking, can corrupt data if source/dest overlap

Safer alternatives:

  • Use strncpy with explicit null termination
  • Use strlcpy/strlcat where available
  • Use snprintf/vsnprintf instead of sprintf/vsprintf
  • Use memmove instead of memcpy for potentially overlapping regions

Link to this headingTime

Vulnerable time functions:

  • gmtime - Returns pointer to static buffer, not thread-safe
  • localtime - Returns pointer to static buffer, not thread-safe
  • ctime - Returns pointer to static buffer, not thread-safe
  • asctime - Returns pointer to static buffer, not thread-safe

Thread-safe alternatives:

  • gmtime_r - Reentrant version of gmtime
  • localtime_r - Reentrant version of localtime
  • ctime_r - Reentrant version of ctime
  • asctime_r - Reentrant version of asctime

Link to this headingMemory Safety

Dangling pointer:
A pointer that originally pointed to valid data before it was freed/deallocated. This can turn into a [Use After Free](/Exploitation/Heap/Use After Free.md) vulnerability.

char *foo = malloc(100); free(foo); *foo = 23; // Use after free vulnerability

Out-of-bounds pointer:
Original pointer pointed inside the object but the pointer was changed to point outside the object.

char foo[40]; foo[42] = 23;

Control Flow Hijack Attack:

int vuln(int usr, int usr2){ void *(func_ptr)(); //func_ptr is on the stack int *q = buf + usr; //Out of Bounds Pointer from usr //Using the out-of-bounds pointer you can point q to the address on the stack that has the func_ptr ... func_ptr = &foo; ... *q = usr2; //q is being dereferenced and can overwrite the func_ptr pointer ... (*func_ptr)(); // Overwritten function is executed (Gadgets) }

Link to this headingStatic Analysis

FlawFinder:

>>> flawfinder ../Programs/aes-brute-force/test Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining ../Programs/aes-brute-force/test/aes-brute-force_origional.cpp Examining ../Programs/aes-brute-force/test/aes-brute-force.cpp FINAL RESULTS: ../Programs/aes-brute-force/test/aes-brute-force.cpp:208: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. ../Programs/aes-brute-force/test/aes-brute-force.cpp:209: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. [...]

CPPCheck:

>>> cppcheck ../Programs/aes-brute-force/test/ Checking ../Programs/aes-brute-force/test/aes-brute-force.cpp ... ../Programs/aes-brute-force/test/aes-brute-force.cpp:148:9: error: Array 'cnt8[16]' accessed at index 16, which is out of bounds. [arrayIndexOutOfBounds] cnt8[b]++; ^ ../Programs/aes-brute-force/test/aes-brute-force.cpp:142:5: note: After for loop, b has value 16 for(b=0;b<16;b++){ ^ ../Programs/aes-brute-force/test/aes-brute-force.cpp:148:9: note: Array index out of bounds cnt8[b]++; ^ [...]

Link to this headingFormat string attack

Exploitation of a Format String Vuln

Vulnerable functions:

  • printf family: printf, fprintf, sprintf, snprintf
  • vprintf family: vprintf, vfprintf, vsprintf, vsnprintf
  • syslog and custom logging functions

Example vulnerability:

// User input directly passed to printf char *user_input = get_user_input(); printf(user_input); // Vulnerable - use printf("%s", user_input) instead

Impact:

  • Information disclosure (reading stack/memory)
  • Arbitrary memory writes
  • Code execution in some cases

Prevention:

  • Always use format strings: printf("%s", user_input)
  • Use compiler flags: -Wformat -Wformat-security
  • Static analysis tools can detect many format string bugs