Results 1 to 8 of 8

Thread: Analysing Code for potential security vulnerabilities

  1. #1
    Junior Member
    Join Date
    Dec 2007
    Posts
    28

    Question Analysing Code for potential security vulnerabilities

    Hey all,

    As a hobbyist programmer, this isn't a major issue for me, but still something I hold a great interest in.

    When looking through code that has been classed as vulnerable, I've been trying to see what actually makes it vulnerable. A few times, I could see why. For example, an Apache exploit in which a URL with more than the expected parameters caused Apache to write beyond the array it stored the data in, into the executable memory space.

    However, most of the time, I find it difficult to see these exploits.

    So, basically, I'm asking for tips on spotting exploits in code.

    Thanks very much
    [u]HTML Lesson #43[/u]
    [u]The acceptable use of the <blink> tag[/u]

    Schrödinger's cat is <blink>not</blink> dead!

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by [NIL] View Post
    Hey all,

    As a hobbyist programmer, this isn't a major issue for me, but still something I hold a great interest in.

    When looking through code that has been classed as vulnerable, I've been trying to see what actually makes it vulnerable. A few times, I could see why. For example, an Apache exploit in which a URL with more than the expected parameters caused Apache to write beyond the array it stored the data in, into the executable memory space.

    However, most of the time, I find it difficult to see these exploits.

    So, basically, I'm asking for tips on spotting exploits in code.

    Thanks very much
    http://www.maths.leeds.ac.uk/~read/bofs.html
    http://web.textfiles.com/hacking/buffer.txt

    As a start.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    23

    Default

    Hallo!

    Interesting topic. I guess noting beats a good brain and a manuel check
    however maby you wood like to run some tools on the source first.
    I just googel a few hoping you can do some testing and report back too
    us if any of this tools where good. This tool are for C++, C cod is that
    what you are looking for?

    Flawfinder
    RATS
    ITS4
    Splint
    cqual

    Testers programs
    BFBTester
    Spike
    fuzz

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    28

    Default

    Quote Originally Posted by capron View Post

    This tool are for C++, C cod is that
    what you are looking for?
    Sorry, should have said. Personally, I program in PASCAL, which is closer to C++ than C, but since most web apps - at least, open source ones - are coded in C, I'm happy to expend a little effort learning that too.

    Thanks, but I understand the concept of a buffer overflow, if you have any texts on tips on to spot them; that would be brilliant.


    Thanks very much to both of you.
    [u]HTML Lesson #43[/u]
    [u]The acceptable use of the <blink> tag[/u]

    Schrödinger's cat is <blink>not</blink> dead!

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by [NIL] View Post
    Sorry, should have said. Personally, I program in PASCAL, which is closer to C++ than C, but since most web apps - at least, open source ones - are coded in C, I'm happy to expend a little effort learning that too.
    I'm not sure what makes you think most web apps are C, but from my experience you're looking more at: Java (incl JSP/Servlet/EJB), PHP, MS whatever.NET (usually VB ). With a high likelihood of some Ruby, PHP, Python, or Perl doing small pieces in the backend (comms with other systems etc). Plus SQL for DB integration. [Or did you mean App Server/Infrastructure apps?]

    PMD is an interesting source code analysis tool you might wanna look at. (http://sourceforge.net/projects/pmd/)
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Junior Member
    Join Date
    Dec 2007
    Posts
    28

    Default

    Quote Originally Posted by thorin View Post
    I'm not sure what makes you think most web apps are C, but from my experience you're looking more at: Java (incl JSP/Servlet/EJB), PHP, MS whatever.NET (usually VB ). With a high likelihood of some Ruby, PHP, Python, or Perl doing small pieces in the backend (comms with other systems etc). Plus SQL for DB integration. [Or did you mean App Server/Infrastructure apps?]

    PMD is an interesting source code analysis tool you might wanna look at. (http://sourceforge.net/projects/pmd/)
    Yeah, sorry again

    I meant server apps.

    I need to sleep more
    [u]HTML Lesson #43[/u]
    [u]The acceptable use of the <blink> tag[/u]

    Schrödinger's cat is <blink>not</blink> dead!

  7. #7
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Sorry I don't have the greatest in experience in pascal, I have briefly studied delphi. From everything I've read and it makes sense... no program can replace human knowledge in identifying possible overflows. There's probably a good book somewhere that explains how to write safer code in almost every language. It is going to require a deeper understanding of what commands do bounds checking and which do not. Also it doesn't hurt to have someone else look over the code. They might be able to point out possible overflows you have overlooked.

    Next I might suggest learning how to fuzz. Doing a few quick fuzz tests on your program should determine weaknesses in your program's code and should allow you to examine and identify possible security threats.

    Also maybe a google search on some pascal commands that lead to vulnerabilities might be a good idea. I know I remember seeing a good page on C++ recently but that doesn't completely apply to you.

  8. #8
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I'am new in this area but try to write a exploit then look at the asm, then run a debugger on the program to exploit and see if you can get a match.

    Any way if its in the OS like SMB try modeifing this script(fuzzy)
    #include <stdio.h>
    #include <stdlib.h>
    #include <windows.h>
    #include <winsock.h>



    int main(int argc, char *argv[])
    {
    struct sockaddr_in their_addr;
    WSADATA wsa;
    struct hostent *he;
    int len, sockfd;
    int c=0,cha=0,c1=0,char1=0,c2=0,char2=0,count=0,max=0, max1=0;
    char storebuf[2100],store[5];


    char recvbuf[2100],sendbuf[2100];

    WSAStartup(MAKEWORD(2,0),&wsa);
    he=gethostbyname(argv[1]);
    sockfd = socket(AF_INET, SOCK_STREAM, 0);

    their_addr.sin_family = AF_INET;
    their_addr.sin_port = htons(445);
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(&(their_addr.sin_zero), '\0', 8);

    connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr));

    do
    {
    sendbuf[c] = cha;
    cha++;
    c++;
    }
    while(c < 500);
    c=0;
    cha=0;




    do
    {
    if(count <= 500) {
    send(sockfd,&sendbuf[count],5, 0);
    len = recv(sockfd, recvbuf,1, 0);
    //if(storebuf != recvbuf) {
    printf("%s\n",recvbuf);
    //}
    }
    if(count <= 1000) {
    store[0] = sendbuf[count-500];
    store[1] = sendbuf[count-499];

    send(sockfd,store,5, 0);
    len = recv(sockfd, recvbuf,1, 0);
    //if(storebuf != recvbuf) {
    printf("%s\n",recvbuf);
    //}
    }
    c=0;
    do
    {
    storebuf[c] = recvbuf[c];

    c++;
    }
    while(c < 5);
    count++;
    }
    while(count < 50000);
    return 0;
    }

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •