"/usr/bin/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";?

Question

I found this line in the if.c of unix version 6.

ncom = "/usr/bin/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

Why are there so many x's? And why would you set this?

Answer 1

The code you are talking of looks like this:

ncom = "/usr/bin/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
while(c=nargv[0][i])  {
    ncom[9+i++] = c;
}
ncom[9+i] = '\0';

All those x's act as a buffer, they are overridden by the following loop. Therefore the code effectively adds "/usr/bin/" to the command in nargv[0].

With a little more context the code is doing this:

execv(nargv[0], nargv, np);
execv(ncom+4, nargv, np);
execv(ncom, nargv, np);

If the given command in nargv[0] is "foo" it will first try to run "foo" then "/bin/foo" and finally "/usr/bin/foo".

---

Be aware that above is a good example how to not do such things:

If the string in nargv[0] happens to be longer than the number of x's, the code will happily continue copying data. This will override other parts of the stack. The result is a good example of a buffer overflow. (You allocate a buffer of some size and write more data than allocated.)

This example will demonstrate the problem:

#include <stdio.h>
int main(){
  char s[]="abcde";
  int i;
  for(i=0;i<100;i++){
    printf("position %2d contains value %3d\n",i,s[i]);
    s[i]=0;
  }
  puts(s);
  return 0;
}

If you run it it will (most probably) output this:

position  0 contains value  97
position  1 contains value  98
position  2 contains value  99
position  3 contains value 100
position  4 contains value 101
position  5 contains value   0
position  6 contains value   0
position  7 contains value   0
position  8 contains value   0
position  9 contains value   0
position 10 contains value   0
position 11 contains value   0
position 12 contains value  12
position  1 contains value   0
position  2 contains value   0
position  3 contains value   0
position  4 contains value   0
position  5 contains value   0
position  6 contains value   0
position  7 contains value   0
[...]

It will fill the string (containing the ASCII values 97 to 101) with zeroes and continue writing the memory where it will find the position of the variable i it will also set it to zero. Now i is zero and therefore the loop starts again, overriding the the already overridden string again and again.

Not only local variables can be overriden, also the return address of a function might get overriden resulting in either a "segmentation fault" or execution of arbitrary code, which is often used by malware.