Secure Programming

Quicksort bug

2007-01-19T02:06:00.000-08:00

Any ideas, what may be the possible bug in the following code:

1: public static int binarySearch(int[] a, int key) {
2: int low = 0;
3: int high = a.length - 1;
4:
5: while (low <= high) {
6: int mid = (low + high) / 2;
7: int midVal = a[mid];
8:
9: if (midVal < key)
10: low = mid + 1;
11: else if (midVal > key)
12: high = mid - 1;
13: else
14: return mid; // key found
15: }
16: return -(low + 1); // key not found.
17: }

Note: It is standard algo implemented in Java to sort ArrayList

Regards,
Sandeep

SIX DUMBEST IDEAS IN COMPUTER SECURITY.

2005-09-12T02:33:00.000-07:00

http://www.ranum.com/security/computer_security/editorials/dumb/

Simple Yet Common Again

2005-08-02T04:10:00.000-07:00

int catvars(char *buf1, char *buf2, unsigned int len1,
unsigned int len2){
char mybuf[256];

if((len1 + len2) > 256){
return -1;
}

memcpy(mybuf, buf1, len1);
memcpy(mybuf + len1, buf2, len2);

do_some_stuff(mybuf);

return 0;
}

Simple Yet Common

2005-08-02T04:08:00.000-07:00

int myfunction(int *array, int len){
int *myarray, i;

myarray = malloc(len * sizeof(int));
if(myarray == NULL){
return -1;
}

for(i = 0; i < len; i++){
myarray[i] = array[i];
}

return myarray;
}

Spot the bug

2005-07-19T14:24:00.000-07:00

Microsoft's guy is also hosting a blog where he will be posting the code and you have to find a bug.
Check this out: http://blogs.msdn.com/rsamona/

Thanks
Sandeep

Games

2005-07-05T05:50:00.000-07:00

Ever played hacking games??

Check: http://quiz.ngsec.com/

It is pretty trivial..

Once you are done with it..Dont miss http://hackerslab.org

Amazing.

The temporary one!

2005-04-15T00:01:00.000-07:00

void main()
{
FILE *fh = fopen("/tmp/ABC_my_junk_spot", "w+");
fprintf(fh, "hello..what are you looking at?");
fclose(fh);
}

Find out what is wrong with this piece of code?
How would you exploit this to gain root access if this code runs as root?

PS: The bar girls are like /tmp because
1. They are public property 2.They talk too much

A unix teaser

2005-04-14T03:31:00.000-07:00

I was no God.
I told her my password.
She ran to a unix terminal.
She logged in to my account.
Using 'passwd' she changed my password to whatever she wanted.
she checked if the password was changed. It really was.
When she came back, she fainted when she saw me using different password.

How could I do that?

TIP: It was a race condition

No long names allowed.

2005-04-12T00:41:00.000-07:00

#include <string.h>

int main(int argc, char *argv[]){
unsigned short s;
int i;
char buf[80];

if(argc < 3){
return -1;
}

i = atoi(argv[1]);
s = i;

if(s >= 80){
printf("We dont allow big names.\n");
return -1;
}

strncpy(buf, argv[2], i);
printf("%s\n", buf);
return 0;
}

After compiling, execute it following way:
$ ./a.out 81 alpha0
We dont allow big names.
$./a.out 79 alpha0
alpha0

Lady, tell me the time.

2005-04-07T01:43:00.000-07:00

This program is a SUID program (see my previous post).

int main()
{
System("date");
}

What does it do?
It basically executes command called "date".

Now, what is problem with it?

PS: Lady seems to be blonde

Thanks,
Sandeep

What are SUID programs?

2005-04-07T01:33:00.000-07:00

It is unix term which means "the programs which while running assume someone else's credentials." Generally if a user runs a program the program has same previleges as user has.
So, program can access same resources (files, memory etc..) what user can.
Lets take an example,
When you change your password the password file is modified by the command that changes the password. On the other hand you can edit the password file yourself.
So this command for changing the password runs with the administrator previleges.

This special previleged programs like daemons (See the gatekeepers in the first post) need to be secured because if a user tricks them into executing any other command, the seurity is defeated.

They ought to do what they are supposed to do.
To find all such programs on unix system you can use the following command:
find / -perm -4000 -o -perm -2000 2>/dev/null

Thanks,
Alpha0

The monk is culprit

2005-04-04T14:28:00.000-07:00

While going through the SunOS strcat manual, I was stuck by the following lines.

Buffer overflow can be checked as follows:
if (strlcat(dst, src, dstsize) >= dstsize)
return -1;

What is wrong with it?

Dying of oppulance

2005-04-04T14:03:00.000-07:00

It is a story of a programmer who is dead by the deadlines.
He writes the code quickly to meet the deadline just to get another deadline.
One day someone told his boss a tale about the devilish buffer overflow. Boss gives orders to apply fixes to all the bufferoverflows by using strlcat instead of strcat and run a code-checker over the code.:)
The poor programmer got yet another dead-line. He obeys the boss and here is the code he wrote:

#define BUFSIZ 100
int main()
{
char * response;
response = (char *) malloc (sizeof(char) * BUFSIZ);
char input[50];

printf("Enter your first name:"
scanf("%49s",input);
strlcat(response, input, BUFSIZ);

printf("Enter your middle name:"
scanf("%49s",input);
strlcat(response, input, BUFSIZ);

printf("Enter your last name:"
scanf("%49s",input);
strlcat(response, input, BUFSIZ);
}

Do you think this guy needs to be corrected?

A simple C code.

2005-04-02T03:40:00.000-08:00

I asked an interviewee to write a code that should take a string from user and print it back.

He scribbled it in a fraction of second:

void main()
{
char name[100];
scanf("%s", name);
printf(name);
}

Do you think this code is secure? If not, how many bugs does it have?

Any Interpretations?

2005-04-02T03:32:00.000-08:00