Application & Web Security: Lecture Notes

Another buffer overflow example: The C program gets_auth.c uses the gets() function to read the user's name from the keyboard. If the entered name starts with 'A' or 'a', or if a flag variable defined in the program isn't zero, the program 'authenticates' the user. Otherwise, the program doesn't authenticate them.

Since the name string is of size 30 characters, any response from the user longer than 30 characters will overflow the flag variable (making it non-zero), thereby authenticating the user, even if their name doesn't start with an 'A' or 'a'!

The solution, as we learned on the previous slide, is to use fgets() instead of gets(). The C program fgets_auth.c, uses this exact solution, thereby eliminating the buffer overflow bug of gets_auth.c.

The above is a short demonstration of how an attacker who learns about the existence of a buffer overflow vulnerability in a program, or any person by accident, can corrupt the variables of that buggy program (and the OS in general.)