Trail of Bits Blog
Follow
C/C++ checklist challenges, solved
The provided text describes two security challenges from a testing handbook, a Linux ping program and a Windows driver registry handler. The Linux challenge exposes a command injection vulnerability due to flaws in input validation and the `inet_ntoa` function's use of a global buffer, enabling an attacker to bypass security checks. The Windows challenge highlights a vulnerability where a driver reads version information from the registry using `RtlQueryRegistryValues`, allowing an attacker to control the registry path. This allows for reading arbitrary registry keys. The key vulnerability is missing type checking when using `RTL_QUERY_REGISTRY_DIRECT`, enabling stack overflows through type confusion. The lack of the `RTL_QUERY_REGISTRY_TYPECHECK` flag on a Windows driver leads to a kernel security failure when attempting to read from an untrusted hive when using `RTL_QUERY_REGISTRY_DIRECT`. This bug, originally addressed in MS11-011, allows an attacker to overwrite data on the stack. The text then introduces a new Claude skill called c-review, designed to find bugs in C/C++ codebases by leveraging an LLM. The skill uses the testing handbook's checklist as prompts for identifying vulnerabilities.
