Invoke C program with argv[0] as NULL
Question
The following is from a book on secure C coding:
Vulnerabilities can occur when inadequate space is allocated to copy a program input such as a command-line argument. Although argv[0] contains the program name by convention, an attacker can control the contents of argv[0] to cause a vulnerability in the following program by providing a string with more than 128 bytes. Furthermore, an attacker can invoke this program with argv[0] set to NULL:
int main(int argc, char *argv[]) {
/* ... */
char prog_name[128];
strcpy(prog_name, argv[0]);
/* ... */
}
I want to ask how will the attacker invoke the program with argv[0] set to NULL , if argv[0] is the program name?
1 answers
solution1
6 ACCPTED 2021-03-12 00:01:10
By using the a function like execlp() to start the program, instead of running the program from a shell. All the exec functions require the caller to provide the argv elements explicitly, and they can easily violate the convention.
execlp("program_name", (char *)NULL);
Note that there are actually some uses for this ability. Not specifically argv[0] == NULL , but the option to make argv[0] different from the program name. There's another convention that login shells are run with - as the first character of argv[0] (because the traditional login process doesn't provide a way to pass parameters to the shell).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.