Friday, April 15, 2005

The temporary one!

void main()
FILE *fh = fopen("/tmp/ABC_my_junk_spot", "w+");
fprintf(fh, "hello..what are you looking at?");

Find out what is wrong with this piece of code?
How would you exploit this to gain root access if this code runs as root?

PS: The bar girls are like /tmp because
1. They are public property 2.They talk too much

Thursday, April 14, 2005

A unix teaser

I was no God.
I told her my password.
She ran to a unix terminal.
She logged in to my account.
Using 'passwd' she changed my password to whatever she wanted.
she checked if the password was changed. It really was.
When she came back, she fainted when she saw me using different password.

How could I do that?

TIP: It was a race condition

Tuesday, April 12, 2005

No long names allowed.

#include <string.h>

int main(int argc, char *argv[]){
unsigned short s;
int i;
char buf[80];

if(argc < 3){
return -1;

i = atoi(argv[1]);
s = i;

if(s >= 80){
printf("We dont allow big names.\n");
return -1;

strncpy(buf, argv[2], i);
printf("%s\n", buf);
return 0;

After compiling, execute it following way:
$ ./a.out 81 alpha0
We dont allow big names.
$./a.out 79 alpha0

Thursday, April 07, 2005

Lady, tell me the time.

This program is a SUID program (see my previous post).

int main()

What does it do?
It basically executes command called "date".

Now, what is problem with it?

PS: Lady seems to be blonde


What are SUID programs?

It is unix term which means "the programs which while running assume someone else's credentials." Generally if a user runs a program the program has same previleges as user has.
So, program can access same resources (files, memory etc..) what user can.
Lets take an example,
When you change your password the password file is modified by the command that changes the password. On the other hand you can edit the password file yourself.
So this command for changing the password runs with the administrator previleges.

This special previleged programs like daemons (See the gatekeepers in the first post) need to be secured because if a user tricks them into executing any other command, the seurity is defeated.

They ought to do what they are supposed to do.
To find all such programs on unix system you can use the following command:
find / -perm -4000 -o -perm -2000 2>/dev/null


Monday, April 04, 2005

The monk is culprit

While going through the SunOS strcat manual, I was stuck by the following lines.

Buffer overflow can be checked as follows:
if (strlcat(dst, src, dstsize) >= dstsize)
return -1;

What is wrong with it?

Dying of oppulance

It is a story of a programmer who is dead by the deadlines.
He writes the code quickly to meet the deadline just to get another deadline.
One day someone told his boss a tale about the devilish buffer overflow. Boss gives orders to apply fixes to all the bufferoverflows by using strlcat instead of strcat and run a code-checker over the code.:)
The poor programmer got yet another dead-line. He obeys the boss and here is the code he wrote:

#define BUFSIZ 100
int main()
char * response;
response = (char *) malloc (sizeof(char) * BUFSIZ);
char input[50];

printf("Enter your first name:"
strlcat(response, input, BUFSIZ);

printf("Enter your middle name:"
strlcat(response, input, BUFSIZ);

printf("Enter your last name:"
strlcat(response, input, BUFSIZ);

Do you think this guy needs to be corrected?

Saturday, April 02, 2005

A simple C code.

I asked an interviewee to write a code that should take a string from user and print it back.

He scribbled it in a fraction of second:

void main()
char name[100];
scanf("%s", name);

Do you think this code is secure? If not, how many bugs does it have?

Any Interpretations?