24/05/2021 Software [in] Security: Fun with C - Signed Integer Boundary Conditions

Plus

Software [in] Security

W e d n e s d a y, S e p t e m b e r 2 6 , 2 0 1 8 Search This Blog

Fun with C - Signed Integer Boundary Conditions

Arithmetic Boundary Condition Miscalculations are very common reasons for security issues in C/C++ applications. Blog Home

Arithmetic Boundary Conditions:

About Me
Integer is one of the most important datatype in C. It has minimum and maximum possible values determined by
underlying representation in memory.

Following table shows typical size and min/max range representation for Integer types.

OS - Ubuntu 18.04 ( 32 Bit ) Narendra Shinde

View my complete
pro le

Contact

@nushinde
Home

Labels

CTF
memory corruption
Priv Escalation
OS - CentOS 7 ( 64 Bit) Security Advisories
Vulnerability Analysis

Blog Archive

► 2020 (1)
►

► 2019 (2)
►

▼ 2018 (4)
▼
► November 2018 (1)
►

► October 2018 (2)

►

▼ September 2018 (1)

▼
Fun with C - Signed Integer
Conditions

Inspirations

"What happens if .....?" Cure53

Here,  very basic question - what happens if some operation attempts to cross mentioned Integer type boundary ? In lcamtuf's Blog
this case, the result of simple arithmetic operations cannot be stored in variable as it is in resulting representation. Gareth's Blog
PortSwigger
For our discussion, we are only concerned about "signed" numbers. As per above integer type table, maximum positive
Phrack
value hold by "int" or "signed integer"  is decimal 2147483647 i.e. 0x7FFFFFFF. If we add 1 into this number the result is
Google Project Zero
0x80000000 which is a maximum negative number accepted by "signed integer" i.e. -2147483648. In short, large
Qualys
positive number plus small positive number resulted into large negative number and vice versa for negative values.
GitHub Security Lab
Masato Kinugawa
(gdb) list
Orange Tsai's log
1 void main()
Soroush Dalili's Blog
2 {
3 int a ;
4 a = 0x7FFFFFFF;
5 a = a + 0x01;

https://www.securepatterns.com/2018/09/fun-with-c-signed-integer-boundary.html 1/3
24/05/2021 Software [in] Security: Fun with C - Signed Integer Boundary Conditions
6
7 }
(gdb) s
5 a = a + 0x01;
(gdb) x &a
0xbffff534: 0x7fffffff
(gdb) s
7 }
(gdb) x &a
0xbffff534: 0x80000000
(gdb) print /d a
$1 = -2147483648
(gdb)

We can see that when operation results crossed maximum positive integer value, number is converted into negative
value. Similarly, as operation can over ow boundary of signed positive number , some operations can also result into
under ow issues.

Impact:
Boundary over ow and type conversion related subtle issues cause major security impact on resource sensitive
operations such as memory management. Due to value wrapping, we can trick program to assign additional memory
chunk than what is expected. In short , we can in uence program's memory management routines.

For example -

len = packet_read_field(sfd) ;
read_data(sfd, buffer, len);

In above example , consider read_data works similar to how read(2) works. If user craft  packet with negative value into
speci c eld, then value of "signed length" variable will be negative. Now when this value is used to read data , this
negative value is passed into read_data() function which expects 3rd argument "len" to be size_t i.e. unsigned integer
value.  In this case type conversion operation takes place and  negative value of "len" is converted into positive
unsigned integer and passed to read_data() function.  End result, program will read huge number of data from input
and place it into buffer. This will lead to over ow and unexpected security exposures.

Example Vulnerability:

CVE-2018-14634 - Mutagen Astronomy: Integer over ow in Linux's create_elf_tables()

Recently, Qualys released security advisory for "Integer Over ow" issue in create_elf_tables() function.
Let's analyze the vulnerable function create_elf_tables() in binfmt_elf.c

150 #define STACK_ROUND(sp, items) \

151 (((unsigned long) (sp - items)) &~ 15UL)
...
165 create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
...
169 int argc = bprm->argc;
170 int envc = bprm->envc;
171 elf_addr_t __user *sp;
...
178 int items;
...
190 p = arch_align_stack(p);
...
287 items = (argc + 1) + (envc + 1) + 1;
288 bprm->p = STACK_ROUND(sp, items);
...
295 sp = (elf_addr_t __user *)bprm->p;

It line 287 code performs some arithmetic operation -

items = (argc + 1) + (envc + 1) + 1;

where -
argc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of argument strings passed to execve()
- Which is de ned as #de ne MAX_ARG_STRINGS 0x7FFFFFFF
envc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of environment variable strings passed to execve()

https://www.securepatterns.com/2018/09/fun-with-c-signed-integer-boundary.html 2/3
24/05/2021 Software [in] Security: Fun with C - Signed Integer Boundary Conditions
- It is de ned as -
bprm->envc = count(envp, MAX_ARG_STRINGS);
#de ne MAX_ARG_STRINGS 0x7FFFFFFF

The good news is - "argc" and "envc" both values can be controlled. So for exploitation we need to craft huge "argc" and
"envc" values and over ow "signed - items" value , which will then becomes negative. This value is later used for some
stack related operations , so gives control over stack manipulation. This control is very useful in later phase of
exploitation.

150 #define STACK_ROUND(sp, items) \

151 (((unsigned long) (sp - items)) &~ 15UL)

For detailed technical advisory please check - CVE-2018-14634.

- September 26, 2018

Labels: Vulnerability Analysis

2 comments:

Unknown October 27, 2018 at 3:01 AM

Isn't there a contradiction, whent you state that on CentOS 7 (64b) a long is 32 bits long and holds numbers from
-9223372036854775808 to 9223372036854775807? For CentOS 7.5 you should indicate "64 bits" for long, as far as I could
verify.
Reply

Replies

Narendra Shinde October 27, 2018 at 11:26 AM

True, custom ascii table gone bad! Corrected. Thanks for your help.

Reply

Enter your comment...

Comment as: abbassen.lyes@ Sign out

Publish Preview Notify me

Newer Post Home

Subscribe to: Post Comments (Atom)

Previous Posts

CVE-2018-14665 : Xorg X Server Vulnerabilities

1.  Arbitrary File Overwrite Vulnerability Leads to Privilege Escalation Details: ====== X.org X Server application is vulnerable to...

Fun with C - Signed Integer Boundary Conditions

Arithmetic Boundary Condition Miscalculations are very common reasons for security issues in C/C++ applications. Arithmetic
Boundary Cond...

Analysis of CVE-2020-1730 : DoS in libssh

CVE-2020-1730: libssh - denial of service when handling AES-CTR (or DES) ciphers libssh  is a multiplatform C library
implementing the S...

Powered by Blogger.

https://www.securepatterns.com/2018/09/fun-with-c-signed-integer-boundary.html 3/3