Wednesday, September 26, 2018

Fun with C - Signed Integer Boundary Conditions

Arithmetic Boundary Condition Miscalculations are very common reasons for security issues in C/C++ applications.

Arithmetic Boundary Conditions:
Integer is one of the most important datatype in C. It has minimum and maximum possible values determined by underlying representation in memory.

Following table shows typical size and min/max range representation for Integer types.

OS - Ubuntu 18.04 ( 32 Bit )
OS - CentOS 7 ( 64 Bit)
"What happens if .....?"
Here,  very basic question - what happens if some operation attempts to cross mentioned Integer type boundary ? In this case, the result of simple arithmetic operations cannot be stored in variable as it is in resulting representation.

For our discussion, we are only concerned about "signed" numbers. As per above integer type table, maximum positive value hold by "int" or "signed integer"  is decimal 2147483647 i.e. 0x7FFFFFFF. If we add 1 into this number the result is 0x80000000 which is a maximum negative number accepted by "signed integer" i.e. -2147483648. In short, large positive number plus small positive number resulted into large negative number and vice versa for negative values.

(gdb) list
1     void main()
2     {
3          int a ;
4          a = 0x7FFFFFFF;
5          a = a + 0x01;
6
7     }
(gdb) s
5          a = a + 0x01;
(gdb) x &a
0xbffff534:     0x7fffffff
(gdb) s
7     }
(gdb) x &a
0xbffff534:     0x80000000
(gdb) print /d a
\$1 = -2147483648
(gdb)

We can see that when operation results crossed maximum positive integer value, number is converted into negative value. Similarly, as operation can overflow boundary of signed positive number , some operations can also result into underflow issues.

Impact:
Boundary overflow and type conversion related subtle issues cause major security impact on resource sensitive operations such as memory management. Due to value wrapping, we can trick program to assign additional memory chunk than what is expected. In short , we can influence program's memory management routines.

For example -
In above example , consider read_data works similar to how read(2) works. If user craft  packet with negative value into specific field, then value of "signed length" variable will be negative. Now when this value is used to read data , this negative value is passed into read_data() function which expects 3rd argument "len" to be size_t i.e. unsigned integer value.  In this case type conversion operation takes place and  negative value of "len" is converted into positive unsigned integer and passed to read_data() function.  End result, program will read huge number of data from input and place it into buffer. This will lead to overflow and unexpected security exposures.

Example Vulnerability:

CVE-2018-14634 - Mutagen Astronomy: Integer overflow in Linux's create_elf_tables()

Recently, Qualys released security advisory for "Integer Overflow" issue in create_elf_tables() function.
Let's analyze the vulnerable function create_elf_tables() in binfmt_elf.c
150 #define STACK_ROUND(sp, items) \
151     (((unsigned long) (sp - items)) &~ 15UL)
...
165 create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
...
169     int argc = bprm->argc;
170     int envc = bprm->envc;
...
178     int items;
...
190     p = arch_align_stack(p);
...
287     items = (argc + 1) + (envc + 1) + 1;
288     bprm->p = STACK_ROUND(sp, items);
...
295     sp = (elf_addr_t __user *)bprm->p;

It line 287 code performs some arithmetic operation -
items = (argc + 1) + (envc + 1) + 1;
where -
argc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of argument strings passed to execve()
- Which is defined as #define MAX_ARG_STRINGS 0x7FFFFFFF
envc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of environment variable strings passed to execve()
- It is defined as -
bprm->envc = count(envp, MAX_ARG_STRINGS);
#define MAX_ARG_STRINGS 0x7FFFFFFF

The good news is - "argc" and "envc" both values can be controlled. So for exploitation we need to craft huge "argc" and "envc" values and overflow "signed - items" value , which will then becomes negative. This value is later used for some stack related operations , so gives control over stack manipulation. This control is very useful in later phase of exploitation.
150 #define STACK_ROUND(sp, items) \
151     (((unsigned long) (sp - items)) &~ 15UL)

1. Isn't there a contradiction, whent you state that on CentOS 7 (64b) a long is 32 bits long and holds numbers from -9223372036854775808 to 9223372036854775807? For CentOS 7.5 you should indicate "64 bits" for long, as far as I could verify.

1. True, custom ascii table gone bad! Corrected. Thanks for your help.

2. This is very useful post for me. This will absolutely going to help me in my project. 亚博

3. This comment has been removed by the author.

5. I can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all,.. free facebook url email extractor

6. You have beaten yourself this time, and I appreciate you and hopping for some more informative posts in future. Thank you for sharing great information to us. email blast application

7. If that is the case, it will be difficult to sell. How can you find out? Well, do some research and see if you can find out if the software company is growing. mSpy

8. As these are legitimate renditions, you can likewise refresh it liberated from costs and subsequently keep up security and solidness of the equivalent. These days, most open source choices are tantamount and on occasion shockingly better than the paid software. email lists for sale

9. The basic role of this approach identifies with lessening the time essential for the development of the ideal software. business automation

10. I was surfing net and fortunately came across this site and found very interesting stuff here. Its really fun to read. I enjoyed a lot. Thanks for sharing this wonderful information. house security

11. WhatsApp enables marketers to do group targeting and also allows the creation of groups according to similar interests and start discussions with users of the group. spiare whatsapp android

12. Notwithstanding the unfamiliar blemishes, usually some number of realized imperfections pass from the improvement association to the upkeep gathering. Exact assessment of the exertion needed to keep up conveyed software is helped by the disintegration of the general exertion into the different exercises that make up the entire cycle. emv chip software

13. Most schools have licenses for software to be utilized on the premises, yet this isn't accessible for the understudies at home. mobile tracker

14. You know your projects stand out of the herd. There is something special about them. It seems to me all of them are really brilliant! note taking apps

15. The content is utmost interesting! I have completely enjoyed reading your points and have come to the conclusion that you are right about many of them. You are great, and your efforts are outstanding! Salesflow linked

16. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. ip camera

17. We’ve been creating elegant digital printing for over 20 years. Right from the start of the digital printing revolution, in fact. In that time we have grown with you, our clients. And the thing is, like any important relationship check our website for more info custom stickers printing

18. We're developing a structure for holding heavy products. Such a variety of packaging boxes are consumed for shipping in accordance with the stipulation provided.Custom box manufacturer The functions of double-walled boxes manufacture front surprise resellers, helping them to achieve the desired packaging in color printing or without printing at all. Are you looking for an effective packaging solution that not only packs your product, but adds value to your brand? There is no better option than a custom packaging solution, printed with quality ink. Improve your brand recognition with well-defined signature packaging.

19. This is exactly what's on my mind! This naming agency with their new online course made me realize that I was in the wrong path in naming my new business. A big thanks to this agency! Email Extractor

20. Thanks for your nice post I really like it and appreciate it. My work is about Quality Packaging Solution. If you need perfect quality boxes then you can visit our website.

21. I wish more authors of this type of content would take the time you did to research and write so well. I am very impressed with your vision and insight. quenza software

22. bespoke packaging boxes At Bespoke Packaging UK we strongly believe in the interests of bespoke packaging, which has multiple benefits.

23. So, handsome and software coding session you gifted here for you fans and followers definitely. I like the funny way you depicted the whole contributions. I just landed on your numerous useful resources as an knowledge hunter and tremendously impressed with the integer boundary condition done through cc++. that's amazing. In fact I was in search for Kennected LinkedIn software functions and advantages. But this was an outstanding experience absolutely.

24. custom artwork and embroidery logo digitizing into a machine embroidery ready file. Though we usually provide digitized embroidery digitizing software