Assignment 4 solutions, due Feb 16

Part of the homework for 22C:169, Spring 2007
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

  1. Background: Consider this shell script, stored in the file fibonacci and marked as an executable file:
    #/bin/tcsh
    # fib arg
    # outputs the arg'th fibonacci number
    
    if      ($argv <= 1) then
            echo $argv
    else
            @ m1 = $argv - 1
            @ m2 = $argv - 2
            @ return = `fib $m1` + `fib $m2`
            echo $return
    endif
    

    a) What output does this produce for the inputs fib 0 through fib 8 (1/2 point)

    Here's the output-

      [akampoow@r-lnx221 hw4sol]$ ./fib 1
      1
      [akampoow@r-lnx221 hw4sol]$ ./fib 2
      1
      [akampoow@r-lnx221 hw4sol]$ ./fib 3
      2
      [akampoow@r-lnx221 hw4sol]$ ./fib 4
      3
      [akampoow@r-lnx221 hw4sol]$ ./fib 5
      5
      [akampoow@r-lnx221 hw4sol]$ ./fib 6
      8
      [akampoow@r-lnx221 hw4sol]$ ./fib 7
      13
      [akampoow@r-lnx221 hw4sol]$ ./fib 8
      21
    

    b) Give equivalent C, C++, C# or Java code, writing it as a function that takes an integer argument and returns an integer result. Hint: In all of these languages, the code is smaller than the original shell script! (1/2 point)

    Here is a somewhat equivalent program:

    /*fib.c*/
    /******************************************
    * A fibonacci program                     *
    * Author:  Alankar Kampoowale             *
    ******************************************/
    #include 
    #include 
    
    int fibonacci(int val) {
        /* the fucntion that calculates the val'th fibonacci number */
        if (val <= 1) {
            return val;
        } else {
            return(fibonacci(val-1) + fibonacci(val-2));
        }
    }
    
    int main(int argc, char * argv[]) {
        printf("%d\n", fibonacci( atoi( argv[1] ) ) );
        return 0;
    }
    

    c) Explain the potential for injection vulnerability in this code; what stupid thing did the programmer do? (1 point)

    The stupid thing that the programmer did was to print the argument to the script to the screen using echo. Also, the programmer used $argv instead of Also, the programmer used $argv[1] and did not check the number of arguments. This made it possible to exploit the script for injection vulnerability by formatting the argument accordingly. You had to mention both the above points, otherwise full points were not given.

    d) Give a command line for a call to the above fib script that will, as a side effect, run the cat fib command to list the file to standard output. (1 point)

    A suitable command line would be -

    [akampoow@r-lnx221 hw4sol]$ ./fib "1 ) cat fib"
    

    The following and some of the other command lines suggested are not injectioe attacks for various reasons -

    [akampoow@r-lnx221 hw4sol]$ eval ./fib "1; cat fib"
    

    In the above, eval breaks the contents within the quotes into individual strings and executes the commands ./fib 1 and cat fib separately. This will happen with any script, even if it doesn't have potential for injection vulnerabilities.

    [akampoow@r-lnx221 hw4sol]$ ./fib 1; cat fib
    
    The above is just the execution of one command after another.

    e) Propose code to add to the fib routine that prevents its use with the incorrect number of parameters. This is one way to eliminate the injection vulnerability in this code. (1 point)

    Here's the script. It checks whether there is only one argument to the script or not, otherwise it does not calculate the fibonacci index value. You had only to suggest code, so no actual code was required. But points were taken off if the suggestion did not mention how should the incorrect number of arguments be dealt with.

    #/bin/tcsh -x
    #fib arg
    if ($#argv == 1) then
        if ($argv <= 1) then
            echo $argv
        else
            @ m1 = $argv - 1
            @ m2 = $argv - 2
            @ return = `./fib $m1` + `./fib $m2`
            echo $return
        endif
    else
        echo "Only one argument allowed"
    endif
    

    Note that this script still contains an injection vulnerability!

    f) In fact, this code does include an injection vulnerability. Can you find a call to this code that will inject the command ls -l fib? (From there, it is not a long shot to rm -f fib.) (1 point)

    A suitable command line would be

     [akampoow@r-lnx221 hw4sol]$ ./fib "1 ) ls -l fib"
    

    Again some of the other formats were not injection attacks.