Question

Find 5 types of C or C++ commands that are insecure. Give an example and explain why each are insecure

Answer 1

Solution(s):

1. STACK-BASED BUFFER OVERFLOWS

While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack-based buffer overflows:

Example Language: C

#define BUFSIZE 256

int main(int argc, char **argv) {

char buf[BUFSIZE];

strcpy(buf, argv[1]);

}

The buffer size is fixed, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.

2. HEAP-BASED BUFFER OVERFLOWS

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:

Example Language: C

#define BUFSIZE 256

int main(int argc, char **argv) {

char *buf;

buf = (char *)malloc(sizeof(char)*BUFSIZE);

strcpy(buf, argv[1]);

}

The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.

3. DANGLING POINTER REFERENCES

Dangling pointers arise during object destruction, when an object that has an incoming reference is deleted or de allocated, without modifying the value of the pointer, so that the pointer still points to the memory location of the de allocated memory.

#include<stdlib.h>

{

char *ptr = malloc(Constant_Value);  

free (ptr); /* ptr now becomes a dangling pointer */

}

First declared the character pointer in the first step. After execution of some statements de-allocated memory which is allocated previously for the pointer. As soon as memory is de-allocated for pointer, pointer becomes dangling pointer

4. FORMAT STRING VULNERABILITIES

Format String

• What is a format string?

printf ("The magic number is: %d\n",20 19);

The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, which is

replaced with the parameter (2019) in the output. Therefore the output looks like: The magic number

is: 2019. In addition to %d, there are several other format parameters, each having different meaning.

The following table summarizes these format parameters:

Parameter Meaning Passed as

-------------------------------------------------------------------

%d decimal (int) value

%u unsigned decimal (unsigned int) value

%x hexadecimal (unsigned int) value

%s string ((const) (unsigned) char *) reference

%n number of bytes written so far, (* int) reference

• The stack and its role at format strings

The behavior of the format function is controlled by the format string. The function retrieves the

parameters requested by the format string from the stack.

printf ("a has value %d, b has value %d, c is at address: %08x\n",

a, b, &c);

5. INTEGER ERRORS

Integer overflow is the result of trying to place into computer memory an integer (whole number) that is too large for the integer data type in a given system. ... According to ISO C99, the C programming language standard, the actual value resulting from an instance of integer overflow must be regarded as unpredictable.