Arithmetic Boundary Condition Miscalculations are very common reasons for security issues in C/C++ applications.
Arithmetic Boundary Conditions:
Integer is one of the most important datatype in C. It has minimum and maximum possible values determined by underlying representation in memory.
Following table shows typical size and min/max range representation for Integer types.
OS - Ubuntu 18.04 ( 32 Bit )
Arithmetic Boundary Conditions:
Integer is one of the most important datatype in C. It has minimum and maximum possible values determined by underlying representation in memory.
Following table shows typical size and min/max range representation for Integer types.
OS - Ubuntu 18.04 ( 32 Bit )
OS - CentOS 7 ( 64 Bit)
"What happens if .....?"
Here, very basic question - what happens if some operation attempts to cross mentioned Integer type boundary ? In this case, the result of simple arithmetic operations cannot be stored in variable as it is in resulting representation.
For our discussion, we are only concerned about "signed" numbers. As per above integer type table, maximum positive value hold by "int" or "signed integer" is decimal 2147483647 i.e. 0x7FFFFFFF. If we add 1 into this number the result is 0x80000000 which is a maximum negative number accepted by "signed integer" i.e. -2147483648. In short, large positive number plus small positive number resulted into large negative number and vice versa for negative values.
We can see that when operation results crossed maximum positive integer value, number is converted into negative value. Similarly, as operation can overflow boundary of signed positive number , some operations can also result into underflow issues.
Impact:
Boundary overflow and type conversion related subtle issues cause major security impact on resource sensitive operations such as memory management. Due to value wrapping, we can trick program to assign additional memory chunk than what is expected. In short , we can influence program's memory management routines.
For example -
Example Vulnerability:
CVE-2018-14634 - Mutagen Astronomy: Integer overflow in Linux's create_elf_tables()
Recently, Qualys released security advisory for "Integer Overflow" issue in create_elf_tables() function.
Let's analyze the vulnerable function create_elf_tables() in binfmt_elf.c
It line 287 code performs some arithmetic operation -
argc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of argument strings passed to execve()
- Which is defined as #define MAX_ARG_STRINGS 0x7FFFFFFF
envc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of environment variable strings passed to execve()
- It is defined as -
bprm->envc = count(envp, MAX_ARG_STRINGS);
#define MAX_ARG_STRINGS 0x7FFFFFFF
The good news is - "argc" and "envc" both values can be controlled. So for exploitation we need to craft huge "argc" and "envc" values and overflow "signed - items" value , which will then becomes negative. This value is later used for some stack related operations , so gives control over stack manipulation. This control is very useful in later phase of exploitation.
Here, very basic question - what happens if some operation attempts to cross mentioned Integer type boundary ? In this case, the result of simple arithmetic operations cannot be stored in variable as it is in resulting representation.
For our discussion, we are only concerned about "signed" numbers. As per above integer type table, maximum positive value hold by "int" or "signed integer" is decimal 2147483647 i.e. 0x7FFFFFFF. If we add 1 into this number the result is 0x80000000 which is a maximum negative number accepted by "signed integer" i.e. -2147483648. In short, large positive number plus small positive number resulted into large negative number and vice versa for negative values.
(gdb) list
1 void main()
2 {
3 int a ;
4 a = 0x7FFFFFFF;
5 a = a + 0x01;
6
7 }
(gdb) s
5 a = a + 0x01;
(gdb) x &a
0xbffff534: 0x7fffffff
(gdb) s
7 }
(gdb) x &a
0xbffff534: 0x80000000
(gdb) print /d a
$1 = -2147483648
(gdb)
We can see that when operation results crossed maximum positive integer value, number is converted into negative value. Similarly, as operation can overflow boundary of signed positive number , some operations can also result into underflow issues.
Impact:
Boundary overflow and type conversion related subtle issues cause major security impact on resource sensitive operations such as memory management. Due to value wrapping, we can trick program to assign additional memory chunk than what is expected. In short , we can influence program's memory management routines.
For example -
len = packet_read_field(sfd) ;
read_data(sfd, buffer, len);
In above example , consider read_data works similar to how read(2) works. If user craft packet with negative value into specific field, then value of "signed length" variable will be negative. Now when this value is used to read data , this negative value is passed into read_data() function which expects 3rd argument "len" to be size_t i.e. unsigned integer value. In this case type conversion operation takes place and negative value of "len" is converted into positive unsigned integer and passed to read_data() function. End result, program will read huge number of data from input and place it into buffer. This will lead to overflow and unexpected security exposures.Example Vulnerability:
CVE-2018-14634 - Mutagen Astronomy: Integer overflow in Linux's create_elf_tables()
Recently, Qualys released security advisory for "Integer Overflow" issue in create_elf_tables() function.
Let's analyze the vulnerable function create_elf_tables() in binfmt_elf.c
150 #define STACK_ROUND(sp, items) \
151 (((unsigned long) (sp - items)) &~ 15UL)
...
165 create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
...
169 int argc = bprm->argc;
170 int envc = bprm->envc;
171 elf_addr_t __user *sp;
...
178 int items;
...
190 p = arch_align_stack(p);
...
287 items = (argc + 1) + (envc + 1) + 1;
288 bprm->p = STACK_ROUND(sp, items);
...
295 sp = (elf_addr_t __user *)bprm->p;
It line 287 code performs some arithmetic operation -
items = (argc + 1) + (envc + 1) + 1;
where -argc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of argument strings passed to execve()
- Which is defined as #define MAX_ARG_STRINGS 0x7FFFFFFF
envc:
- Part of "linux_binprm" structure, this structure is used to hold the arguments that are used when loading binaries.
- It represents - Maximum number of environment variable strings passed to execve()
- It is defined as -
bprm->envc = count(envp, MAX_ARG_STRINGS);
#define MAX_ARG_STRINGS 0x7FFFFFFF
The good news is - "argc" and "envc" both values can be controlled. So for exploitation we need to craft huge "argc" and "envc" values and overflow "signed - items" value , which will then becomes negative. This value is later used for some stack related operations , so gives control over stack manipulation. This control is very useful in later phase of exploitation.
150 #define STACK_ROUND(sp, items) \
151 (((unsigned long) (sp - items)) &~ 15UL)
For detailed technical advisory please check - CVE-2018-14634.
Isn't there a contradiction, whent you state that on CentOS 7 (64b) a long is 32 bits long and holds numbers from -9223372036854775808 to 9223372036854775807? For CentOS 7.5 you should indicate "64 bits" for long, as far as I could verify.
ReplyDeleteTrue, custom ascii table gone bad! Corrected. Thanks for your help.
DeleteThis is very useful post for me. This will absolutely going to help me in my project. 亚博
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIf you have active twitter account you can buy twitter followers from this site https://soclikes.com/ for your profile
ReplyDeleteI can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all,.. free facebook url email extractor
ReplyDeleteYou have beaten yourself this time, and I appreciate you and hopping for some more informative posts in future. Thank you for sharing great information to us. email blast application
ReplyDeleteIf that is the case, it will be difficult to sell. How can you find out? Well, do some research and see if you can find out if the software company is growing. mSpy
ReplyDeleteAs these are legitimate renditions, you can likewise refresh it liberated from costs and subsequently keep up security and solidness of the equivalent. These days, most open source choices are tantamount and on occasion shockingly better than the paid software. email lists for sale
ReplyDeleteThe basic role of this approach identifies with lessening the time essential for the development of the ideal software. business automation
ReplyDeleteI was surfing net and fortunately came across this site and found very interesting stuff here. Its really fun to read. I enjoyed a lot. Thanks for sharing this wonderful information. house security
ReplyDeleteWhatsApp enables marketers to do group targeting and also allows the creation of groups according to similar interests and start discussions with users of the group. spiare whatsapp android
ReplyDeleteNotwithstanding the unfamiliar blemishes, usually some number of realized imperfections pass from the improvement association to the upkeep gathering. Exact assessment of the exertion needed to keep up conveyed software is helped by the disintegration of the general exertion into the different exercises that make up the entire cycle. emv chip software
ReplyDeleteMost schools have licenses for software to be utilized on the premises, yet this isn't accessible for the understudies at home. mobile tracker
ReplyDeleteYou know your projects stand out of the herd. There is something special about them. It seems to me all of them are really brilliant! note taking apps
ReplyDeleteThe content is utmost interesting! I have completely enjoyed reading your points and have come to the conclusion that you are right about many of them. You are great, and your efforts are outstanding! Salesflow linked
ReplyDeleteI wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. ip camera
ReplyDelete