Buffer Overrun in Antitrust

Skip this unless you're really, really geeky.

Still with us? OK. In the movie "Antitrust", there's a screenshot of some code that has a possible Denial Of Service vulnerability:

/* are we doing a GET or just a HEAD */
boolean doingGet;
/* beginning of file name */
int index;
if (buf[0] == (byte)'G' &&
    buf[1] == (byte)'E' &&
    buf[2] == (byte)'T' &&
    buf[3] == (byte)' ') {
    doingGet = true;
    index = 4;
} else if (buf[0] == (byte)'H' &&
           buf[1] == (byte)'E' &&
           buf[2] == (byte)'A' &&
           buf[3] == (byte)'D' &&
           buf[4] == (byte)' ') {
    doingGet = false;
    index = 5;
} else {
    /* we don't support this method */
    ps.print("HTTP/1.0 " + HTTP_BAD_METHOD +
               " unsupported method type: ");
    ps.write(buf, 0, 5);

Because I can't resist such things, I paused the movie to read over the code. Now, I'm assuming this is Java instead of C++ because "boolean" wasn't spelled "bool", although I'm not sure why they'd be using Java for performance critical code. Anyway. See the ps.write(buf,0,5); line near the end? Well, "buf" is presumably the string that the client sent to the server. If the client is broken (or malicious) enough to misspell "GET" and "HEAD", then the server politely tries to tell the client what it did wrong by sending "buf"'s value back.

Which brings us to the hack. If "buf" is less than five characters long, then that "ps.write" line will attempt to read past the end of "buf". If the calling function doesn't handle index error exceptions, boom! The service crashes: Denial Of Service. Note that this is still better than the C++ equivalent, which would write the contents of memory immediately following the end of "buf" back to the client.

No, I'm not exactly good at sitting back and watching movies.

Related Posts