1

Let's say we have an elf a and a textfile a.txt in the same directory. The a elf is a program, that is remotely accessible/executable. In addition a contains the instruction fgets(buf,len,stdin); and a remote attacker manages to get full control over the stdin object. Is the attacker able to reliably generate a file stream object pointing to a.txt? It should be the equivalent to the object generated by fopen("a.txt","r");. If yes, how would he do that?

Simon Huenecke
  • 21
  • 1

1 Answers1

1

If by "full control over the stdin object" you mean provide stdin input to a, then this depends on the size and location of buf, the memory layout of a, and what len is. In this case, the way you pose your question does not provide enough information to answer this.

If you mean corrupting the pointers in the struct FILE, then yes, usually it is possible. Unless the file descriptor of a.txt is already present in the target process, it's unfortunately not as easy as overwriting the file descriptor and clearing the buffers in the struct FILE. It is however usually possible to gain arbitrary code execution by overwriting the stream buffer pointers and writing to stdin, which gives you a write-what-where primitive. The precise overwrite targets again depend on the target executable.

For a detailed discussion of a similar exploit technique, see the "Play with FILE structure" HITBGSEC 18 talk (video/slides/whitepaper).

plonk
  • 633
  • 4
  • 13