Challenge – Vulnerable Code
This challenge appeared on an internal alias dedicated to C++. It was issued by Mike Vine, a developer here at Microsoft who agreed to let us share it with the mighty Visual C++ blog readers:
This challenge came from me thinking about a simple bug which could be turned into a security vulnerability, so I thought I’d give it a go and try to code a plausibly deniable piece of code which looks innocent but is actually dangerous. I managed to actually go further than that, and produced something, that whilst unlikely, could possibly have come from non-malicious but sloppy coding.
So your challenge is – if you choose to accept it – analyze the sample code file “main.c” (attached) and try to find the (fairly obvious) security faux pas and ‘accidental’ bug which causes the security faux pas to be exploitable.
Try to analyze it first before running it, like you would in a Code Review, to try to spot the issue. As it is code which could’ve come from a sloppy programmer everything is pretty much what it seems – there’s no misnamed functions or anything lame like that.
The security vulnerability comes from the file it tries to load which we assume is attacker controlled (e.g. on a CD for a console, or downloaded from the internet for a browser).
I’d assume experienced developers and security folk should be able to get this pretty quickly. In that case, try to analyze how it’s possible to really exploit the issue – the attached “Background.dat” is an example exploit (its benign enough to try out, but save your work first!). See if you can come up with that exploit yourself, or alternatively come up with something more fun / smaller / etc. I’m really interested with what’s possible here!
To run the code, create a new win32 console app and add the code, and make sure you run it with the ‘Background.dat’ next to the exe [or in the working directory if running under the VS debugger]
Does your commit process let this code through? Does you coding standards ban the dangerous parts of this code? Would this code pass your team’s code review? Does your automated CR tool pick up anything fishy here?
Send me an email if you’ve got the answer and/or an interesting exploit and I’ll reply back in a few days with the best of the responses.
Thanks, and good luck,
Our readers are some of the best developers out there, so when you find an answer, email it to Mike before the end of the week. Look for an update in the next few weeks.