Professional Documents
Culture Documents
Software (In) Security - Fun With C - Signed Integer Boundary Conditions
Software (In) Security - Fun With C - Signed Integer Boundary Conditions
Plus
Following table shows typical size and min/max range representation for Integer types.
Contact
@nushinde
Home
Labels
CTF
memory corruption
Priv Escalation
OS - CentOS 7 ( 64 Bit) Security Advisories
Vulnerability Analysis
Blog Archive
► 2020 (1)
►
► 2019 (2)
►
▼ 2018 (4)
▼
► November 2018 (1)
►
Inspirations
https://www.securepatterns.com/2018/09/fun-with-c-signed-integer-boundary.html 1/3
24/05/2021 Software [in] Security: Fun with C - Signed Integer Boundary Conditions
6
7 }
(gdb) s
5 a = a + 0x01;
(gdb) x &a
0xbffff534: 0x7fffffff
(gdb) s
7 }
(gdb) x &a
0xbffff534: 0x80000000
(gdb) print /d a
$1 = -2147483648
(gdb)
We can see that when operation results crossed maximum positive integer value, number is converted into negative
value. Similarly, as operation can over ow boundary of signed positive number , some operations can also result into
under ow issues.
Impact:
Boundary over ow and type conversion related subtle issues cause major security impact on resource sensitive
operations such as memory management. Due to value wrapping, we can trick program to assign additional memory
chunk than what is expected. In short , we can in uence program's memory management routines.
For example -
len = packet_read_field(sfd) ;
read_data(sfd, buffer, len);
In above example , consider read_data works similar to how read(2) works. If user craft packet with negative value into
speci c eld, then value of "signed length" variable will be negative. Now when this value is used to read data , this
negative value is passed into read_data() function which expects 3rd argument "len" to be size_t i.e. unsigned integer
value. In this case type conversion operation takes place and negative value of "len" is converted into positive
unsigned integer and passed to read_data() function. End result, program will read huge number of data from input
and place it into buffer. This will lead to over ow and unexpected security exposures.
Example Vulnerability:
Recently, Qualys released security advisory for "Integer Over ow" issue in create_elf_tables() function.
Let's analyze the vulnerable function create_elf_tables() in binfmt_elf.c
where -
argc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of argument strings passed to execve()
- Which is de ned as #de ne MAX_ARG_STRINGS 0x7FFFFFFF
envc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of environment variable strings passed to execve()
https://www.securepatterns.com/2018/09/fun-with-c-signed-integer-boundary.html 2/3
24/05/2021 Software [in] Security: Fun with C - Signed Integer Boundary Conditions
- It is de ned as -
bprm->envc = count(envp, MAX_ARG_STRINGS);
#de ne MAX_ARG_STRINGS 0x7FFFFFFF
The good news is - "argc" and "envc" both values can be controlled. So for exploitation we need to craft huge "argc" and
"envc" values and over ow "signed - items" value , which will then becomes negative. This value is later used for some
stack related operations , so gives control over stack manipulation. This control is very useful in later phase of
exploitation.
2 comments:
Replies
Reply
Previous Posts
Powered by Blogger.
https://www.securepatterns.com/2018/09/fun-with-c-signed-integer-boundary.html 3/3