AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 13 - Input Validation Issues 3 - Buffer Overflow


INPUT VALIDATION ISSUES 3 - BUFFER OVERFLOW 


- Layout for this exercise:





- Connecting from Santoku to Nexus 5 with ADB:





- Launching the application: 





- Clicking the tab for challenge 13:




- The applications prompts the user to enter any input able to crash the app.

- Entering 1111 the application just answers "Access denied!":




- However, entering a long string of characters, let's say a string of 30 "1"s, the app stops after crashing:







- To understand what has happened inside the app, it is very convenient to examine the log generated by the command logcat.


- We see a fatal signal (SIGSEGV = segmentation fault, or segmentation violation), because the operating system considers protected the memory address 0x31313131 (0x31 is the ASCII code for character "1"):






- Looking up into the Java source code of the challenge, InputValidation3Activity.java:





- The application is using JNI (Java Native Interface), what suggests that the method DivaJni is related to a program written in other language:







- Going to the source code of the applications, there is a program divajni.c written in language C:




- Opening divajni.c, there is a constant (#define CODESIZEMAX 20) defining a maximum value of 20, later used to determine the size of the string code:







- Also, the function strcpy copies the string entered by the user over the variable code:




- The problem is that the function strcpy does not check whether the size of the destination's buffer is large enough to hold the source parameter. 


- A consequence of function strcpy bad usage is the corruption of memory or buffer overflow, and eventually the crash of the application.