Anyone know a good way to attack the following? What’s the best approach? Timing attack? or am I missing something obvious?
int ticket_compare(char *t, char *ticket) {
while ( *t == *ticket) {
t++; ticket++;
}
return *t - *ticket;
}
Do you have control of both inputs or just one of them?
Looking at the code, it’s essentially the strcmp function without a NULL terminator check. So there is definitely a buffer read overrun possibility which can cause undefined behaviour, usually SIGSEGV exception.
Timing attack is another possibility, for example you could find out a valid ticket as the ticker_compare function will take longer and longer for every character it matches. But if this is a remote exploit attempt then I think that would be difficult since the timing differences will be miniscule in comparison to the timings involved with TCP