1 / 18

WHEN GOOD CODE GOES BAD!

This showcase by SensePost explores modern programming mishaps and their real-world repercussions. Learn about stack overflow, format string vulnerabilities, dangerous integers, and the importance of fixing code. Discover how even managed code and static analysis tools may not always prevent bugs. Take a closer look at the RealVNC authentication bypass as an example. This presentation aims to answer questions you never thought to ask.

mpardue
Download Presentation

WHEN GOOD CODE GOES BAD!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WHEN GOOD CODE GOES BAD! A SHOWCASE OF MODERN PROGRAMMING MISHAPS (SensePost 2006)

  2. Introduction • Who we are.. (SensePost) • Who we are.. (charl && haroon) • What this talk is about.. • Answer some of those questions you never ask.. • Some real world examples (of shocking code) • Some real world repercussions • Mind the Gap • Constraints…

  3. Agenda • What is this stack overflow stuff? • Then what’s a format string vulnerability? • Hmmm.. What’s all this about dangerous Integers? • What happens if we fix all the code? • Questions..

  4. What’s this Stack Overflow stuff? • This is really old news.. (Morris Worm 1988) • Is it even still a problem? • Super simple explanation: • The Stack.. • Dangerous functions

  5. Super Simple Explanation.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }

  6. Typical Attack.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }

  7. What’s this Stack Overflow stuff? • This is really old news.. (Morris Worm 1988) • Is it even still a problem? • Super simple explanation: • The Stack.. • Dangerous functions • Who would make such a silly mistake? • Everyone… • How easy is this to take advantage of? • Today? Point & Click ownage!

  8. Then what’s a format string bug? • Spot the bug ? • “Safe Version” • See it yet? void syslog(char *buff) { printf(buff) } void syslog(char *buff) { printf(“%s”, buff) }

  9. Then what’s a format string bug? printf(buff); printf(“%s”, buff);

  10. Then what’s a format string bug? buff = “%s”; printf(buff); printf(“%s”, buff); C:\> issa_format.exe

  11. What’s a dangerous Integer?

  12. What’s a dangerous Integer? • Same size as a pointer • Fixed size (32 bits for our purposes) • MAXINT + 1 == ? • ISO C99 “Causes Undefined Behavior” • 0xffffffff + 0x1 == 0 {Integer Wrap Around} • Why is this dangerous ?

  13. Ugly Pseudo-Code 1.) get data from user (buffer) 2.) add trailing \0 character 3.) add 1 to length of buffer (for our \0) 4.) If(length > 80) 5.) { 6.) printf(“Sorry your buffer is too long!”; 7.) exit -1 8.) } 9.) else 0.) { copy(other_buffer, buffer); }

  14. What happens if we fix all the code? • The proliferation of “Managed Code” • Better and better static code analysis.. • Is the end in sight for bug hunters? • RealVNC Authentication Bypass • ActiveX Control

  15. RealVNC Authentication Bypass • Discovered by Steve Wiseman of intelliadmin.com (by mistake)

  16. RealVNC Authentication Bypass “show us”

  17. What does this mean? • Vendors: • There are lots of defects that tools can not easily detect.. • (There are lots of defects they can!) • No vendor is safe just because they have deeper pockets (or “more eyeballs”) • ISO’s: • Defense in Depth.. • End-point-security.. • Patch Management ? • If it can happen to Microsoft …

  18. Questions ? haroon@sensepost.com charl@sensepost.com

More Related