Web lists-archives.com

Re: Integer overflow in functions from scanf() family in MinGW, Cygwin, Borland/Embarcadero C environments (Windows)




Am 05.03.2017 um 20:48 schrieb Lukas' Home Page:
Good morning,

I find out a strange and bad beaviour in functions from scanf() family when
reading one-byte int variable in MinGW, Cygwin and Borland/Embarcadero C
environments (on Windows, on Linux this doesn't happen). This bug is
corelated with MSVCRT library which isn't written in C99 standard (it's
written in C89 i think).

So, the point is, when you're reading one byte using scanf() function, AND
you are using %hhu format specifier, you have Integer Overflow bug in your
code, because MinGW links to old MSVCRT (C89 version) even if you compile
with -std=c99 parameter.

This works, because scanf() in old MSVCRT library doesn't know "h" format
specifier. BUT! The problem is, that scanf try to interpret format specifier
anyway, omits unsupported "h" specifier and it's loading full integer ("u")
to memory (it should omit not supported part of format - whole "%hhu" format
part, not just only "h"). The C99 specification says on 361 page: "If a
conversion specification is invalid, the behavior is undefined." - but it is
WRONG, because the behaviour SHOULD BE DEFINED AS OMITING THE WHOLE
UNSUPPORTED PART OF FORMAT (not only single specifier, but whole part).
In exploit (below), compiler doesn't even display warnings (event if you
compile program with -std=c99 and -Wextra parameters). I compile on Windows
7 using that command:

gcc main.c -o main.exe -Wextra


Exploit example:
===============================

#include <stdio.h>
#include <stdbool.h>

typedef volatile unsigned char uint8_t;

int main()
{
     bool allowAccess = false; // allowAccess should be always FALSE
     uint8_t userNumber;
     char format[] = "%hhu";
     char buffer[] = "257\n";
     sscanf(buffer, format, &userNumber);
     if (allowAccess)
     {
         printf("Access granted: secret information - Lech Walesa was a Bolek
agent\n");
     }
     printf("Entered number is: %d\n", userNumber);
     return 0;
}
What output do you get (and on which of the mentioned systems),
what output do you expect (and why),
and how is Lech Walesa involved in the issue?
For me, the program produces correct output on cygwin, according to
cygwin's man page of sscanf, and I don't care which library is being used.
Thomas

---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple