As usual, keep a log in the file lab7.txt of what you do in the lab so that you can reproduce the results later. This should not merely be a transcript of what you typed: it should be more like a true lab notebook, in which you briefly note down what you did and what happened.
For this laboratory, you will find and exploit a simple buffer overrun in a web server.
Consider the following patch to thttpd. This patch applies to thttpd 2.25b.
--- thttpd.c~ 2005-06-29 10:50:59.000000000 -0700
+++ thttpd.c 2005-11-19 22:27:32.000000000 -0800
@@ -1588,6 +1588,7 @@ handle_read( connecttab* c, struct timev
int sz;
ClientData client_data;
httpd_conn* hc = c->hc;
+ char readbuf[1024];
/* Is there room in our buffer to read more bytes? */
if ( hc->read_idx >= hc->read_size )
@@ -1604,7 +1605,7 @@ handle_read( connecttab* c, struct timev
/* Read some more bytes. */
sz = read(
- hc->conn_fd, &(hc->read_buf[hc->read_idx]),
+ hc->conn_fd, readbuf,
hc->read_size - hc->read_idx );
if ( sz == 0 )
{
@@ -1626,6 +1627,7 @@ handle_read( connecttab* c, struct timev
finish_connection( c, tvP );
return;
}
+ memcpy (&(hc->read_buf[hc->read_idx]), readbuf, sz);
hc->read_idx += sz;
c->active_at = tvP->tv_sec;
Suppose you have built and deployed a networked application from standard software components and are now worried that the application might be vulnerable to outside attackers via the Internet.
Assume that each of the following CERT Vulnerability Notes describes a component of your system. Rank the seriousness of each vulnerability, so that the most urgent vulnerability is listed first. (By "urgent" we mean "urgent that you stay up all night if necessary and fix this right away in your deployed system".) Justify your rankings by evaluating the plausibility of attack scenarios.
Submit the following files.
All files should be ASCII text files, with no carriage returns, and with no more than 200 columns per line. The shell command
expand lab7.txt hw7.txt | awk '/\r/ || 200 < length'
should output nothing.