Vulners
Lucene search
Tripbit Secure Code Analizer 1.0 - Local fgets() Buffer Overrun
source: http://www.securityfocus.com/bid/8028/info
A buffer overrun has been discovered in Tripbit Secure Code Analizer when reading data from source files. The problem occurs due to an insecure use of the fgets() function. This vulnerability could be triggered by a malicious source file containing approximately 260 or more bytes of specially formatted data. This would effectively overrun the internal memory buffer, causing adjacent stack memory to be overwritten with attacker-supplied values.
Successful exploitation of this vulnerability would result in attacker-supplied code being executed withthe privileges of the user invoking Secure Code Analizer.
/*
* Secure Code Analizer v1.0
*
* Tripbit Security Development
* Author: posidron
* Website: tripbit.org
*
*
* ABOUT
*
* This tool scans your source code to different dangerous functions,
* like strcpy(), gets(), getenv(), sscanf() etc.
*
*
* OPTIONS
*
* [+] single source file -s [SOURCE_FILE]
*
*
* FEATURES
*
* [+] several source files -m [SOURCE_FILE, SOURCE_FILE ... ]
*
*
* GREETS
*
* #hackerboard, #csec, #tripbit
*
*/
#include <stdio.h>
#define FALSE 0
#define TRUE 1
int getopt(char *, char *);
int single_source(char *);
void help(char *);
void version();
int main(int argc, char *argv[])
{
int counter=3;
char buffer[1024];
if(argc == 1 || getopt(argv[1],"h") == TRUE ) { help(argv[0]); }
else if(getopt(argv[1],"v") == TRUE) { version(); }
else if(argc < 3) { help(argv[0]); }
strcpy(buffer,argv[2]);
printf("%s",buffer);
while(argv[counter]!=NULL)
{
strcat(buffer, " ");
strcat(buffer, argv[counter++]);
}
if(getopt(argv[1],"s") == TRUE)
single_source(buffer);
return 0;
}
int getopt(char *argument,char *option)
{
if( argument[0]=='-' && argument[1]==option[0] )
return TRUE;
return FALSE;
}
int single_source(char *buffer)
{
char puffer[256];
int counter = 1;
FILE *source_file;
source_file = fopen(buffer, "rt");
if(!source_file)
perror("Unable to open file!\n");
else
{
printf("File to open: %s\n\n", buffer);
printf("Please wait...\n\n");
while(fgets(puffer, 1044, source_file) != NULL)
{
if(strstr(puffer, "strcpy") != NULL)
{
printf("Line %d, strcpy() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * strcpy ( char * dest, const char * src );\n\n");
}
else if(strstr(puffer, "scanf") != NULL)
{
printf("Line %d, scanf() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int scanf ( const char * format, ... );\n\n");
}
else if(strstr(puffer, "gets") != NULL)
{
printf("Line %d, gets() function was found!, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * gets( char * str );\n\n");
}
else if(strstr(puffer, "fscanf") != NULL)
{
printf("Line %d, fscanf() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int fscanf ( FILE * stream, const char * format, ... );\n\n");
}
else if(strstr(puffer, "fgets") != NULL)
{
printf("Line %d fgets() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * fgets ( char * str, int n, FILE * stream );\n\n");
}
else if(strstr(puffer, "setenv") != NULL)
{
printf("Line %d setenv() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int setenv ( const char * name, const char * value, int overwrite );\n\n");
}
else if(strstr(puffer, "getenv") != NULL)
{
printf("Line %d getenv() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * getenv( const char * name );\n\n");
}
else if(strstr(puffer, "sscanf") != NULL)
{
printf("Line %d sscanf() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int sscanf ( const char * str, const char * format, ... );\n\n");
}
else if(strstr(puffer, "strcat") != NULL)
{
printf("Line %d strcat() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * strcat ( char * dest, const char * src );\n\n");
}
else if(strstr(puffer, "fprintf") != NULL)
{
printf("Line %d fprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int fprintf ( FILE * stream, const char * format, ... );\n\n");
}
else if(strstr(puffer, "sprintf") != NULL)
{
printf("Line %d sprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int sprintf ( char * str, const char * format, ... );\n\n");
}
else if(strstr(puffer, "snprintf") != NULL)
{
printf("Line %d snprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int snprintf ( char *str, size_t n, const char * format, ... );\n\n");
}
else if(strstr(puffer, "system") != NULL)
{
printf("Line %d system() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int system ( const char * string );\n\n");
}
else if(strstr(puffer, "syslog") != NULL)
{
printf("Line %d syslog() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: void syslog ( int priority, const char * message, ...)\n\n");
}
else if(strstr(puffer, "vsprintf") != NULL)
{
printf("Line %d vsprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int vsprintf ( const char * buf, const char * format, va_list ap);\n\n");
}
else if(strstr(puffer, "vsnprintf") != NULL)
{
printf("Line %d vsnprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int vsnprintf ( char * str, size_t n, const char * format, va_list ap);\n\n");
}
else if(strstr(puffer, "popen") != NULL)
{
printf("Line %d popen() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: FILE* popen ( const char * command, const char * mode );\n\n");
}
counter++;
}
if(counter == 1) printf("Nothing was found!\n");
}
fclose(source_file);
printf("\nThe scan has finished!\n");
return 0;
}
void help(char *file_name)
{
printf("Usage: securecode [OPTION] [SPECIFICATION]\n");
printf("[+] single source file -s [SOURCE_FILE]\n");
exit(0);
}
void version()
{
printf("Secure Code Analizer [Version 1.0a] \n(C) Copyright 2003 Tripbit Security Development\n");
exit(0);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1