0

So I have a person that I allowed to test out my Socket program and they got it to segfault with the message:

*** stack smashing detected ***: ./myProgram terminated

Which as I understand it, is a gcc compiler feature that detects when the stack gets unstable and kills the program. The problem is not the stack smashing, but the way that it happened. Apparently my program is vulnerable to remote code execution. He was connected via telnet.

I believe he used telnet to cause my socket program to segfault. What I don't know is how he did it and how to prevent it. My socket program is handling the buffering with a 1024 byte long char[]. And even if I tried with a 5 byte buffer and the message get's split up when it's over 5 bytes in that case.

So in summation I'm wondering if anyone knows how to "inject code" via telnet or some other method when the socket being connected to is custom written. And also how to prevent it from happening.

Edit:

Here's my source code: https://github.com/theMonster/ModularServer

Community
  • 1
  • 1
Oxcug
  • 6,524
  • 2
  • 31
  • 46
  • Is it C, C++, or (as you seem to say) *both*? – Jongware Oct 25 '14 at 22:48
  • This question isn't really answerable in its current form: you could easily write a book answering it (and several people have). You'll need to ask a more specific question here, or else take the general question to another place. *Possibly* security.stackexchange.com would be a good place, but I'm not sure. – Daniel Pryden Oct 25 '14 at 22:49
  • @DanielPryden I think you're right. The problem is I don't even know how he did it, or what method he used. I'll move this over to the security stack exchange. – Oxcug Oct 25 '14 at 22:52
  • 1
    @theMonster: It's really not a question that can be answered without code. We need the plans (the source code) to be able to figure out how he destroyed your Death Star (your program). Just be glad that many Bothans (your stack) died to bring you the information that your program was compromised! The worst case scenario is where someone has injected remote code but you have no way of knowing about it (e.g. a rootkit). As it stands, your question is basically just "tell me all the possible ways to hack any program using telnet", which is far too broad to be answered here. – Daniel Pryden Oct 25 '14 at 22:56
  • @DanielPryden Sorry, I actually have the code on github. Generally I hate when people just copy/paste their project src. So I'll just post a link to github. – Oxcug Oct 25 '14 at 23:08

2 Answers2

1

The simple answer is that your program has a bug.

You cannot "inject code" into a correctly written program.

Fix the bug, and attacks will go away. Typically the bug is of the form that your program behaves correctly for only some kinds of input but not for others, presumably because you either don't check all possible return paths from functions or don't check conditions on data sizes and array lengths and things like that.

There are static and dynamic analysis tools that may be able to point you to a specific problem (such as Valgrind, ASan and UBSan), but mostly you need to approach programming with the right attitude, be methodical and pay sufficient attention to detail.

Kerrek SB
  • 464,522
  • 92
  • 875
  • 1,084
1

In Chatroom::recievedCommand you several times allocate buffers on the stack as char tmp[1024]; and then write text into them using sprintf, with no guarantee that the data written will be less than 1024 bytes.

This is pretty much the canonical example of a buffer overrun. OWASP has a whole page explaining the dangers here, and there's also lots of existing questions about this sort of thing on Stack Overflow. A quick search turned up understanding the dangers of sprintf(…) which is probably useful as well.

Community
  • 1
  • 1
Daniel Pryden
  • 59,486
  • 16
  • 97
  • 135