Cortex wrote:
Thx for the explanation :)
But, I wonder if the hacker can hack the program without its source code...
It looks quite hard if he hasnt the source code, because he wouldn't know
where there is a risk of buffer overflow, does he ?
I think that's a fallacy -- that open source code leads to more
exploits. The ability to execute arbitrary code has been proven against
many closed (and open too) source products in the past.
Once they figure out there is an overflow (by sending arbitrarily long
input and seing the program crash), it's then just a matter of them
figuring out how to construct another program that takes advantage of it.
It's just a matter of understanding C's fundamental weakness (and also a
strength in terms of speed) -- a lack of runtime bounds checking for
arrays and the fact that strings are char arrays.
Don't forget, I don't have to know your fuction name to know you're
taking a string into it as a parameter, and since i'm passing a bunch of
garbage, i just tack on a few extra bytes, which is the return address
(in memory) of my nasty code. It probably takes some experimentation to
work out where to stick it. Or, they just pass the address for 128 bytes
or so (because that's a valid string), and blam.
I'm doing QA right now. One of the things I do is test for something
like that (field length validation), I don't always bother looking up in
the database schema how long the field is supposed to be, I just paste
in 10 character blocks until it cracks -- or gives me an error message.
I can then work out at what byte/character it blew up. Crackers would
likely follow a similar procedure.
Hope this isn't too off-topic for this list.. :D.
--
----------------------------
Pat 'sluggo' Magnan
Tour of Duty mod
http://www.tourofdutymod.com
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders
