Saturday, December 31, 2016

ANDROID PT - DIVA / 13 - Input Validation Issues 3 - Buffer Overflow


- Layout for this exercise:

- Connecting from Santoku to Nexus 5 with ADB:

- Launching the application: 

- Clicking the tab for challenge 13:

- The applications prompts the user to enter any input able to crash the app.

- Entering 1111 the application just answers "Access denied!":

- However, entering a long string of characters, let's say a string of 30 "1"s, the app stops after crashing:

- To understand what has happened inside the app, it is very convenient to examine the log generated by the command logcat.

- We see a fatal signal (SIGSEGV = segmentation fault, or segmentation violation), because the operating system considers protected the memory address 0x31313131 (0x31 is the ASCII code for character "1"):

- Looking up into the Java source code of the challenge,

- The application is using JNI (Java Native Interface), what suggests that the method DivaJni is related to a program written in other language:

- Going to the source code of the applications, there is a program divajni.c written in language C:

- Opening divajni.c, there is a constant (#define CODESIZEMAX 20) defining a maximum value of 20, later used to determine the size of the string code:

- Also, the function strcpy copies the string entered by the user over the variable code:

- The problem is that the function strcpy does not check whether the size of the destination's buffer is large enough to hold the source parameter. 

- A consequence of function strcpy bad usage is the corruption of memory or buffer overflow, and eventually the crash of the application.