带有gcc修改的修补程序身份验证程序

Question

My problem is that with the newer versions of gcc the security leak for the following little authentication program cannot be fixed.

The following program should only output "Access garanted" if the right password gets typed, but with a buffer overflow it´s possible to "hack" this program.

Program (raw):

#include <stdlib.h>
#include <string.h>

int check_auth(char *passwd){
    int auth_flag = 0;
    char passwd_buffer[16];
    strcpy(passwd_buffer, passwd);
    if(strcmp(passwd_buffer, "brillig") == 0){
        auth_flag = 1;
    }
    if(strcmp(passwd_buffer, "outgrabe") == 0){
        auth_flag = 1;
    }
    return auth_flag;
}

int main(int argc, char **argv){
    if(argc < 2){
        printf("Usage: %s <password>\n", argv[0]);
        exit(0);
    }
    if(check_auth(argv[1])){
        printf("=_=_=_=_=_=_=_=_=_=\n");
        printf("Access garanted!\n");
        printf("=_=_=_=_=_=_=_=_=_=\n");
    }else{
        printf("=_=_=_=_=_=_=_=_=_=\n");
        printf("Access denied!\n");
        printf("=_=_=_=_=_=_=_=_=_=\n");
    }
}

Output:

[w4r10ck@localhost Hacking_with_C]$ gcc auth_buffer_overflow.c 
[w4r10ck@localhost Hacking_with_C]$ ./a.out "outgrabe"
=_=_=_=_=_=_=_=_=_=
Access garanted!
=_=_=_=_=_=_=_=_=_=
[w4r10ck@localhost Hacking_with_C]$ ./a.out "brillig"
=_=_=_=_=_=_=_=_=_=
Access garanted!
=_=_=_=_=_=_=_=_=_=
[w4r10ck@localhost Hacking_with_C]$ ./a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=_=_=_=_=_=_=_=_=_=
Access garanted!
=_=_=_=_=_=_=_=_=_=

So I know that this is only possible because of the buffer overflow and the resulting overwrite of the next variable in the stack. And in my case this variable is the "auth_flag" variable and since the value of this variable isn´t equals to 0 the condition for executing the if-statement in the main() function is given. Therefore I tried to manipulate the stack so that the "auth_flag" cannot be overwritten anymore.

Program (tried to fix the issue):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int check_auth(char *passwd){
    char passwd_buffer[16];
    int auth_flag = 0;
    strcpy(passwd_buffer, passwd);
    if(strcmp(passwd_buffer, "brillig") == 0){
        auth_flag = 1;
    }
    if(strcmp(passwd_buffer, "outgrabe") == 0){
        auth_flag = 1;
    }
    return auth_flag;
}

int main(int argc, char **argv){
    if(argc < 2){
        printf("Usage: %s <password>\n", argv[0]);
        exit(0);
    }
    if(check_auth(argv[1])){
        printf("=_=_=_=_=_=_=_=_=_=\n");
        printf("Access garanted!\n");
        printf("=_=_=_=_=_=_=_=_=_=\n");
    }else{
        printf("=_=_=_=_=_=_=_=_=_=\n");
        printf("Access denied!\n");
        printf("=_=_=_=_=_=_=_=_=_=\n");
    }
}

After compiling the output was:

[w4r10ck@localhost Hacking_with_C]$ ./a.out "brillig"
=_=_=_=_=_=_=_=_=_=
Access garanted!
=_=_=_=_=_=_=_=_=_=
[w4r10ck@localhost Hacking_with_C]$ ./a.out "outgrabe"
=_=_=_=_=_=_=_=_=_=
Access garanted!
=_=_=_=_=_=_=_=_=_=
[w4r10ck@localhost Hacking_with_C]$ ./a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaa
=_=_=_=_=_=_=_=_=_=
Access garanted!
=_=_=_=_=_=_=_=_=_=

So obviously the modification didn t work. But I t work. But I ve read that this is because newer gcc versions don`t arrange the variables like in the order given from the program but rather like is wants to. Is there any possibility to modify gcc that is works like older versions?

Answer 1

This line is very unsecure with a passwd string that could have any length.

strcpy(passwd_buffer, passwd);

Why not use this?

strncpy(passwd_buffer, passwd, sizeof(passwd_buffer)-1);
passwd_buffer[sizeof(passwd_buffer)-1]='\0';

( https://en.cppreference.com/w/c/string/byte/strncpy )

---

Aside from this particular problem of overflow, variables are just an abstraction to name the values in an algorithm in order to help the programmers elaborate a reasonning.
A soon as an optimizing compiler is used the variables may not even exist .
It's hard to figure this out because when asking for an unoptimised build in order to use a debugger, we actually ask the compiler to make the variable exist in order to observe them in the debugger.
But the optimised code is very different from the unoptimised one.
Even in unoptimised mode, nothing in the standard of the language specifies how the variables should be laid out.
A compiler could choose a layout different from another one.