pete > courses > Crash Course in System Security (CSCI 1005), Winter 2025 > Day 05
Day 05: A Real, Exploitable Vulnerability
bug/vulnerability/exploit
(responsible) disclosure
CVE
National Vulnerability Database
bugtraq
patch
diff
configure/make/make install
libraries
driver programs
function pointers (func-ptr.c)
Exercises
Bullet Points
Download libpng-1.2.5.
Configure it. In the resulting Makefile, add -fno-stack-protector to the CFLAGS variable.
Compile (but do not install!) it.
In the contrib/gregbook subdirectory of the libpng source code:
$ mv Makefile.unx Makefile
Then edit the Makefile to include these variable definitions (you’ll have to comment out any other definitions of these variables):
PNGINC = -I../.. PNGLIB = -L../.. -lpng12 ZINC = -I/usr/include ZLIB = /usr/lib/libz.a LDFLAGS = -lm -Wl,-z,execstack
And finally compile the driver programs:
$ make rpng-x
Download this image, which will crash libpng-1.2.5.
Elicit the crash by feeding the image to the rpng-x program. This is a bit non-trivial, because you need to tell rpng-x to use the version of libpng you just compiled rather than the system-installed version. You can do that thusly:
$ LD_LIBRARY_PATH=../../ ./rpng-x /path/to/image
Find the bug that causes the crash.
Fix the bug that causes the crash and produce a patch.
Produce an alternate image file that drops a shell when fed to rpng-x (in contrast to the shells you dropped last week, this one will be responsive).
Advice
You will be doing a lot of exploring this afternoon. You will get lost. You will get confused. This is okay.
Don’t charge straight to the finish line. Plot out some small steps that will get you there (eg, don’t try to drop a shell right away; instead, embed your exit-42 shellcode, then move onto the more complicated case).
I cannot overstate how strongly I suggest you take extremely detailed notes as you work: what you’re doing, what you’ve found, what you plan to try next, etc. I similarly strongly suggest that these notes be electronic; I know many of you are more comfortable keeping hand-written notes, but being able to cut and paste will make your life waaaay easier. (Tomorrow, I’ll share the notes I took.)
Additionally, in the course of your poking around, you will probably be editing files to see what happens. I strongly suggest you give these files meaningful names so you don’t forget why you created them or what changes they contain.
Should you end up with multiple versions of the same source file, the command diff might come in handy.
References
These are the official notices regarding the libpng vulnerability. Since I’d like you to get practice digging around source code and executables, I suggest you not look too closely at these until you’ve finished the exercises.