Final Exam. May 8, 2001. Question 2 -- Answers and Grading

9 points total

Answer

We discussed this in class, and is mentioned on page 632 of the book, in describing Robert Morris's attack on foreign systems by exploiting a hole in the Unix finger daemon: ``The point vulnerable to malicious entry involved reading input wihtout checking bounds for overflow. Morris' program queried finger with a 536-byte string crafted to exceed the buffer allocated for input and to overwrite the stack frame. Instead of returning to the main routine it was in before Morris' call, the finger daemon was routed to a procedure within the invading 536-byte string now residing on the stack.'' Etc.

This program has the same vulerability -- it reads characters from the file descriptor until it hits EOF. However, it only allocated 100 bytes for reading. This means that if the connection sends more than 100 bytes, it will start overwriting the stack.

A malicious user may take advantage of this in the same way as Robert Morris did -- if he knows the architecture of the machine running the program, he can overwrite the stack so that when get_text() returns, it goes to code on the stack (since you can change the return PC that is stored on the stack), and not back to the main() routine. This allows the user to do whatever he/she wants, and since the stack has at least 10,000 bytes of space (since main() has allocated such a big array on the stack), the malignant code can be pretty complex.

So a good answer to this question is as follows:

If one user is running this program, another user may get access to that user's account by making a connection to the program and sending a string much larger than 100 bytes that overwrites the stack in the manner described above. At this point, the second user has all the access privileges of the first user, and may do anything he/she wants to the first user's account. If the program were running as root, then this technique allows any user to get control of the entire machine, much as Morris did in 1988.

Grading