Wednesday, September 26, 2018

Fun with C - Signed Integer Boundary Conditions

Arithmetic Boundary Condition Miscalculations are very common reasons for security issues in C/C++ applications.

Arithmetic Boundary Conditions:
Integer is one of the most important datatype in C. It has minimum and maximum possible values determined by underlying representation in memory.

Following table shows typical size and min/max range representation for Integer types.

OS - Ubuntu 18.04 ( 32 Bit )
OS - CentOS 7 ( 64 Bit)
"What happens if .....?"
Here,  very basic question - what happens if some operation attempts to cross mentioned Integer type boundary ? In this case, the result of simple arithmetic operations cannot be stored in variable as it is in resulting representation.

For our discussion, we are only concerned about "signed" numbers. As per above integer type table, maximum positive value hold by "int" or "signed integer"  is decimal 2147483647 i.e. 0x7FFFFFFF. If we add 1 into this number the result is 0x80000000 which is a maximum negative number accepted by "signed integer" i.e. -2147483648. In short, large positive number plus small positive number resulted into large negative number and vice versa for negative values.

 (gdb) list   
 1     void main()  
 2     {  
 3          int a ;  
 4          a = 0x7FFFFFFF;  
 5          a = a + 0x01;  
 6       
 7     }  
 (gdb) s  
 5          a = a + 0x01;  
 (gdb) x &a  
 0xbffff534:     0x7fffffff  
 (gdb) s  
 7     }  
 (gdb) x &a  
 0xbffff534:     0x80000000  
 (gdb) print /d a  
 $1 = -2147483648  
 (gdb)

We can see that when operation results crossed maximum positive integer value, number is converted into negative value. Similarly, as operation can overflow boundary of signed positive number , some operations can also result into underflow issues.

Impact:
Boundary overflow and type conversion related subtle issues cause major security impact on resource sensitive operations such as memory management. Due to value wrapping, we can trick program to assign additional memory chunk than what is expected. In short , we can influence program's memory management routines.

For example -
 len = packet_read_field(sfd) ;  
 read_data(sfd, buffer, len);
In above example , consider read_data works similar to how read(2) works. If user craft  packet with negative value into specific field, then value of "signed length" variable will be negative. Now when this value is used to read data , this negative value is passed into read_data() function which expects 3rd argument "len" to be size_t i.e. unsigned integer value.  In this case type conversion operation takes place and  negative value of "len" is converted into positive unsigned integer and passed to read_data() function.  End result, program will read huge number of data from input and place it into buffer. This will lead to overflow and unexpected security exposures.

Example Vulnerability:

 CVE-2018-14634 - Mutagen Astronomy: Integer overflow in Linux's create_elf_tables()

 Recently, Qualys released security advisory for "Integer Overflow" issue in create_elf_tables() function.
Let's analyze the vulnerable function create_elf_tables() in binfmt_elf.c
  150 #define STACK_ROUND(sp, items) \  
  151     (((unsigned long) (sp - items)) &~ 15UL)  
  ...  
  165 create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,  
  ...  
  169     int argc = bprm->argc;  
  170     int envc = bprm->envc;  
  171     elf_addr_t __user *sp;  
  ...  
  178     int items;  
  ...  
  190     p = arch_align_stack(p);  
  ...  
  287     items = (argc + 1) + (envc + 1) + 1;  
  288     bprm->p = STACK_ROUND(sp, items);  
  ...  
  295     sp = (elf_addr_t __user *)bprm->p;

It line 287 code performs some arithmetic operation -
items = (argc + 1) + (envc + 1) + 1;
where -
argc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of argument strings passed to execve()
- Which is defined as #define MAX_ARG_STRINGS 0x7FFFFFFF
envc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of environment variable strings passed to execve()
- It is defined as -
bprm->envc = count(envp, MAX_ARG_STRINGS);
#define MAX_ARG_STRINGS 0x7FFFFFFF

The good news is - "argc" and "envc" both values can be controlled. So for exploitation we need to craft huge "argc" and "envc" values and overflow "signed - items" value , which will then becomes negative. This value is later used for some stack related operations , so gives control over stack manipulation. This control is very useful in later phase of exploitation. 
  150 #define STACK_ROUND(sp, items) \  
  151     (((unsigned long) (sp - items)) &~ 15UL)
For detailed technical advisory please check - CVE-2018-14634.
-
Labels:

17 comments:

  1. UnknownOctober 27, 2018 at 3:01 AM

    Isn't there a contradiction, whent you state that on CentOS 7 (64b) a long is 32 bits long and holds numbers from -9223372036854775808 to 9223372036854775807? For CentOS 7.5 you should indicate "64 bits" for long, as far as I could verify.

    ReplyDelete
    Replies
    1. Narendra ShindeOctober 27, 2018 at 11:26 AM

      True, custom ascii table gone bad! Corrected. Thanks for your help.

      Delete
  2. UnknownJune 22, 2020 at 3:59 AM

    This is very useful post for me. This will absolutely going to help me in my project. 亚博

    ReplyDelete
  3. GhaziOctober 3, 2020 at 8:18 AM

    This comment has been removed by the author.

    ReplyDelete
  4. Mike JohnsonOctober 28, 2020 at 4:31 AM

    If you have active twitter account you can buy twitter followers from this site https://soclikes.com/ for your profile

    ReplyDelete
  5. GhaziNovember 11, 2020 at 2:54 AM

    I can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all,.. free facebook url email extractor

    ReplyDelete
  6. PrinceNovember 12, 2020 at 10:57 PM

    You have beaten yourself this time, and I appreciate you and hopping for some more informative posts in future. Thank you for sharing great information to us. email blast application

    ReplyDelete
  7. RichardsonNovember 14, 2020 at 2:26 AM

    If that is the case, it will be difficult to sell. How can you find out? Well, do some research and see if you can find out if the software company is growing. mSpy



    ReplyDelete
  8. OliverNovember 18, 2020 at 2:58 AM

    As these are legitimate renditions, you can likewise refresh it liberated from costs and subsequently keep up security and solidness of the equivalent. These days, most open source choices are tantamount and on occasion shockingly better than the paid software. email lists for sale

    ReplyDelete
  9. JennetNovember 19, 2020 at 1:55 AM

    The basic role of this approach identifies with lessening the time essential for the development of the ideal software. business automation

    ReplyDelete
  10. Digtal AliNovember 19, 2020 at 6:37 AM

    I was surfing net and fortunately came across this site and found very interesting stuff here. Its really fun to read. I enjoyed a lot. Thanks for sharing this wonderful information. house security

    ReplyDelete
  11. ChrisrockNovember 22, 2020 at 2:13 AM

    WhatsApp enables marketers to do group targeting and also allows the creation of groups according to similar interests and start discussions with users of the group. spiare whatsapp android

    ReplyDelete
  12. AnastasiaNovember 22, 2020 at 11:50 PM

    Notwithstanding the unfamiliar blemishes, usually some number of realized imperfections pass from the improvement association to the upkeep gathering. Exact assessment of the exertion needed to keep up conveyed software is helped by the disintegration of the general exertion into the different exercises that make up the entire cycle. emv chip software

    ReplyDelete
  13. cole-finchNovember 24, 2020 at 5:03 AM

    Most schools have licenses for software to be utilized on the premises, yet this isn't accessible for the understudies at home. mobile tracker

    ReplyDelete
  14. pastryDecember 9, 2020 at 4:58 AM

    You know your projects stand out of the herd. There is something special about them. It seems to me all of them are really brilliant! note taking apps

    ReplyDelete
  15. HNSHAIKHDecember 9, 2020 at 7:15 AM

    The content is utmost interesting! I have completely enjoyed reading your points and have come to the conclusion that you are right about many of them. You are great, and your efforts are outstanding! Salesflow linked

    ReplyDelete
  16. ideaswebJanuary 4, 2021 at 7:31 AM

    I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. ip camera

    ReplyDelete

Subscribe to: Post Comments (Atom)

Previous Posts