Saturday, December 31, 2016
ANDROID PT - DIVA / 13 - Input Validation Issues 3 - Buffer Overflow
INPUT VALIDATION ISSUES 3 - BUFFER OVERFLOW
- Layout for this exercise:
- Connecting from Santoku to Nexus 5 with ADB:
- Launching the application:
- Clicking the tab for challenge 13:
- The applications prompts the user to enter any input able to crash the app.
- Entering 1111 the application just answers "Access denied!":
- However, entering a long string of characters, let's say a string of 30 "1"s, the app stops after crashing:
- To understand what has happened inside the app, it is very convenient to examine the log generated by the command logcat.
- We see a fatal signal (SIGSEGV = segmentation fault, or segmentation violation), because the operating system considers protected the memory address 0x31313131 (0x31 is the ASCII code for character "1"):
- Looking up into the Java source code of the challenge, InputValidation3Activity.java:
- The application is using JNI (Java Native Interface), what suggests that the method DivaJni is related to a program written in other language:
- Going to the source code of the applications, there is a program divajni.c written in language C:
- Opening divajni.c, there is a constant (#define CODESIZEMAX 20) defining a maximum value of 20, later used to determine the size of the string code:
- Also, the function strcpy copies the string entered by the user over the variable code:
- The problem is that the function strcpy does not check whether the size of the destination's buffer is large enough to hold the source parameter.
- A consequence of function strcpy bad usage is the corruption of memory or buffer overflow, and eventually the crash of the application.