Since this is larger than the maximum
UDP packet size, we seem to be out of luck. Fortunately for us, the preceding loop
does no parsing of each environment string, so there is no reason for a malicious user to
use properly formatted (key=value) strings. It is left to the reader to verify that placing
approximately 16919 space characters between the keyword environ and the trailing
carriage return should result in an overwrite of the saved return address. Since an input
line of that size easily fits in a UDP packet, all we need to do now is consider where to
place our shellcode. The answer is to make it the last environment string, and the nice
thing about this vulnerability is that we don??™t even need to determine what value to
overwrite the saved return address with, as the preceding code handles it for us. Understanding
that point is also left to the reader as an exercise.
References
RATS www.fortifysoftware.com/security-resources/rats.jsp
ITS4 www.cigital.com/its4/
FlawFinder www.dwheeler.com/flawfinder/
Splint www.splint.org
PREfast http://research.microsoft.com/displayArticle.aspx?id=634
Binary Analysis
Source code analysis will not always be possible. This is particularly true when evaluating
closed source, proprietary applications.
Pages:
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524