a student
I know nothing about C++...got this exercise in a course about security...have been trying to understand this problem for last 3 hours...still in vain...can someone give me a hint??
#include <iostream> main() { char command[40]; // Send command to int time_of_day; // Avoid replay attack? const bool ever = 1; for ( ;ever; ) { cin >> time_of_day >> command; cout << "Command was " << command << " at time " << time_of_day << endl; } } if we try input: 13 report 13 shoot-to-kill 15 shoot only if they shoot first 12:00 fire how can someone perform a denial of service attack on this server? This same error was present in NT4, prior to service pack 2. This problem is difficult to fix with the C++ stream library, but easy to fix with C's I/O library: #include <stdio.h> #define ever 1 main() { char command[40]; // Send command to int time_of_day; // Avoid replay attack? for ( ;ever; ) { scanf("%d %[^\n]",&time_of_day,command); printf("Command %s at time %d\n",command,time_of_day); } } The regular expression matcher %[^\n] means `match any object consisting of any character up to end of line'. Why is it safer now? |
this is just a guess - i don't work too much with servers. offhand, i would say that it's possible that on the C++, a string could be sent like this
time_of_day command 12345 "getafile\nDoSattack" (humor me here. i don't know anything about server commands :)) with an embedded \n character - any command executed would then be run as two commands. with C, only the first command would be executed. |
Your program doesn't actually execute the 'command', but buffer-onderrun is still possible (your buffer is only 40 bytes, and the input string can have any length.) I suggest using fgets(3) and strtok(3).
|
Quote:
I guess still popped up on new posts lists even after deleted Just adding context in case people think you resurrected it :D |
All times are GMT -5. The time now is 05:57 PM. |