Leaderboard

H6pyf-yitav-ayqt8

Are you tired of yet more externally exploitable buffer overflows in C programs? Do you want to audit your source for common mistakes? If so, PScan is for you! What PScan does: Scans C source files for problematic uses of printf style functions. e.g.: sprintf(buffer, variable); Bad! Possible security breach! sprintf(buffer, "%s", variable); Ok All of these security problems can also occur with any printf-style function. It is simple to fall into the trap of misusing printf and friends, thus, the need for PScan. What PScan does not do: - Scan for traditional buffer over-flows. - You should use a bounds-checking compiler for that. - Scan for any other mis-use of function parameters. The functionality given by PScan is limited. Yet it may be useful. I'm not going to claim it's the be-all and end-all of security scanners, but it does one thing, and it does it simply, and reasonably well. Newer versions of GCC do a better job of scanning source files for problems, but they require the code to be compiled. Pscan is a lot faster, but not as good. As always, there are trade-offs in life. Analyzing and correcting the security breaches is up to the programmer. Let's run PScan over an old version of wu-ftpd. The text below is a sample of the output from PScan: [aland@www pscan]$ ./pscan -p wu-ftpd.pscan ../wu-ftpd-2.6.1/src/*.c ../wu-ftpd-2.6.1/src/ftpd.c:2575 FUNC reply ../wu-ftpd-2.6.1/src/ftpd.c:6277 FUNC syslog ../wu-ftpd-2.6.1/src/ftpd.c:6292 FUNC syslog ../wu-ftpd-2.6.1/src/ftpd.c:6438 FUNC reply [aland@www pscan]$ From the area around line 6277 of ftpd.c, with the problem line emphasized, the code is 6271: if (debug) { 6273: char *s = calloc(128 + strlen(remoteident), sizeof(char)); 6274: if (s) { 6275: int i = ntohs(pasv_addr.sin_port); 6276: sprintf(s, "PASV port %i assigned to %s", i, remoteident); 6277: syslog(LOG_DEBUG, s); 6278: free(s); 6279: } 6280: } So we can see that if the variable debug is set, and the variable remoteident can be set externally (say by an anonymous FTP user), then there may be an exploitable hole in the call to syslog. If we root around the source a little more, we discover in ftpd.c: 6037: else if (authenticated) 6038: sprintf(remoteident, "%s @ %s [%s]", 6039: authuser, remotehost, remoteaddr); 6040: else 6041: sprintf(remoteident, "%s [%s]", remotehost, remoteaddr); The remotehost variable holds the host name of the remote host which is currently connected. A malicious user may set the DNS hostname to a string which contains carefully constructed formatting codes recognized by the sprintf and syslog functions. This problem may allow him to cause the ftp daemon to core dump, or even for him to gain access to a root shell. The solution is to correct line 6277 in the source. The suggested replacement line is below, with the changes emphasized 6277: syslog(LOG_DEBUG, "%s", s); Trusting user input is a bad thing for any program to do. Download: http://deployingradius.com/pscan/pscan.tar.gz Source: PScan: A limited problem scanner for C source files

The good old delphi... Link proiect: http://rapidshare.com/share/A6C3EA1ED588D085902E300DF8AA1ADA unit fVectorUnit; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, ComCtrls, Menus; type TfVector = class(TForm) mm: TMainMenu; Fiseire1: TMenuItem; Deschidere1: TMenuItem; ParasireAplicatie1: TMenuItem; Vizualizare1: TMenuItem; Calcul1: TMenuItem; Calculeaza1: TMenuItem; Vizualizarevector1: TMenuItem; reVector: TRichEdit; OD: TOpenDialog; procedure Deschidere1Click(Sender: TObject); procedure ParasireAplicatie1Click(Sender: TObject); procedure Vizualizarevector1Click(Sender: TObject); procedure Calculeaza1Click(Sender: TObject); private { Private declarations } public Vector: array of real; { Public declarations } end; var fVector: TfVector; implementation uses fMinMaxUnit; {$R *.dfm} procedure TfVector.Deschidere1Click(Sender: TObject); var List: TStringList; I: Integer; begin OD.InitialDir := ExtractFilePath(Application.ExeName); if OD.Execute then begin List := TStringList.Create; try List.LoadFromFile(OD.FileName); SetLength(Vector, List.Count); for I := 0 to High(Vector) do begin try Vector[I] := StrToFloat(List.Strings[I]) except MessageDlg('Date invalide!', mtError, [mbOk], 0); Vector := nil; Break; end; end; finally List.Free; end; end; end; procedure TfVector.ParasireAplicatie1Click(Sender: TObject); begin if MessageDlg('Sigur doriti sa parasiti aplicatia?', mtConfirmation, [mbYes, mbNo], 0) = mrYes then Application.Terminate; end; procedure TfVector.Vizualizarevector1Click(Sender: TObject); var I: Integer; begin if Length(Vector) = 0 then begin MessageDlg('Baza de date nu a fost incarcata!', mtInformation, [mbOk], 0); Exit; end; for I := 0 to High(Vector) do reVector.Lines.Add('v[' + IntToStr(I) + ']='+ FloatToStrF(Vector[I], ffFixed, 3, 3)) end; procedure TfVector.Calculeaza1Click(Sender: TObject); begin if Length(Vector) = 0 then begin MessageDlg('Baza de date nu a fost incarcata!', mtInformation, [mbOk], 0); Exit; end; fMinMax.ShowModal; end; end. unit fMinMaxUnit; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; type TfMinMax = class(TForm) rbMin: TRadioButton; rbMax: TRadioButton; bCalc: TButton; bClose: TButton; procedure bCloseClick(Sender: TObject); procedure bCalcClick(Sender: TObject); private { Private declarations } public { Public declarations } end; var fMinMax: TfMinMax; implementation uses fVectorUnit; {$R *.dfm} function MaxVector: real; var I: Integer; M: real; begin M := fVector.Vector[Low(fVector.Vector)]; for I := 1 to High(fVector.Vector) do if fVector.Vector[I] > M then M := fVector.Vector[I]; Result := M; end; function MinVector: real; var I: Integer; M: real; begin M := fVector.Vector[Low(fVector.Vector)]; for I := 1 to High(fVector.Vector) do if fVector.Vector[I] < M then M := fVector.Vector[I]; Result := M; end; procedure TfMinMax.bCalcClick(Sender: TObject); var MinMax: real; I: Integer; begin if rbMin.Checked then MessageDlg('Elementul minim: ' + FloatToStrF(MinVector, ffFixed, 3, 3), mtInformation, [mbOk], 0) else MessageDlg('Elementul maxim: ' + FloatToStrF(MaxVector, ffFixed, 3, 3), mtInformation, [mbOk], 0) end; procedure TfMinMax.bCloseClick(Sender: TObject); begin Close; end; end.