Project 19x: Source Code Analysis with cppcheck (10 pts.)

What You Need

A Kali 2 virtual machine

Purpose

To practice using cppcheck, a free open-source code auditor.

Installing cppcheck

In your Kali machine, in a Terminal window, execute these commands:


apt-get update
apt-get install cppcheck -y

Simple Buffer Overflow

We used this in an earlier project. If you don't still have it in your Kali machine, in a Terminal window, execute this command:


nano pwd.c

Enter this code:


#include <stdio.h>

int test_pw()
{
        char pin[10];
        int x=15, i;
        printf("Enter password: ");
        gets(pin);
        for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1];
        if (x == 48) return 0;
        else return 1;
}

void main()
{
        if (test_pw()) printf("Fail!\n");
        else printf("You win!\n");
}

Your screen should look like this, without the explanatory boxes and arrows.

This program has a simple buffer overflow because it uses gets().

Save the file with Ctrl+X, Y, Enter.

Using cppcheck

In your Kali machine, in a Terminal window, execute this command:


cppcheck pwd.c

Cppcheck finds nothing wrong, as shown below.

An unimpressive performance.

It can do better, if we enable all tests.

In your Kali machine, in a Terminal window, execute this command:


cppcheck pwd.c --enable=all

Now cppcheck gives us a generic warning about using gets(), as shown below.

The gcc compiler gave us this same warning when we compiled that program.

Format String Vulnerability

In Kali, in a Terminal window, execute this command:


nano fs.c

Enter the program shown below.


#include <stdio.h>

int main(int argc, char **argv){
        char buf[1024];
        strcpy(buf, argv[1]);
        printf(buf);
        printf("\n");
}

Save the file with Ctrl+X, Y, Enter.

Using cppcheck

In your Kali machine, in a Terminal window, execute this command:


cppcheck fs.c --enable=all

Cppcheck finds the buffer overflow in line 5, but doesn't detect the format string vulnerability at all, as shown below.

Heap Overflow

In Kali, in a Terminal window, execute this command:


curl https://samsclass.info/127/proj/heap0.c > heap0.c

nano heap0.c

Scroll down to see the vulnerable code, as shown below.

strcpy is used to copy the command-line argument into the "d" structure without checking its size.

Close the file with Ctrl+X.

Using cppcheck

In your Kali machine, in a Terminal window, execute this command:


cppcheck heap0.c --enable=all

Cppcheck finds several problems: memory is allocated for "d" and "f" but never freed, which causes a "memory leak" (RAM is wasted).

Also, the "d" pointer might allow a read of uninitialized memory.

Bizarreley, in an earlier version, it failed to find the same buffer overflow vulnerability it caught in the earlier program, but the version I used in April, 2018 found it, as shown below.

Saving the Screen Image

Make sure the "Memory leak: d" and "Memory leak: f" messages are visible, as shown above.

Save a whole-desktop screen capture with a filename of "Proj 19x from YOUR NAME".

Turning In Your Project

Email the image to cnit.127sam@gmail.com with a subject of "Project 19x from YOUR NAME".

Sources

Bug Hunting Using Fuzzing and Static Analysis

Posted 11-16-15 by Sam Bowne
Minor typo fixed 4-17-18