![]() ![]() Without going too deep into details, this vulnerability allows to write into a buffer which is smaller than the amount of data to be written (a classic). ![]() So, for this case, I can use a real-life scenario: for example, CVE-2015-3824 “Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution”. Well, this whole attack is based on a series of vulnerability and most of them are integer overflows (or underflows). In these days the mobile ITsec world is shaken by this Android vulnerability called “ Stagefright“, which allows to execute remote code by just sending a well-forged MMS text. (uint16_t)0x1122 casted to a uint8_t variable becomes 0x22.(uint32_t)0x11223344 casted to a uint8_t variable becomes 0x44.An example will better show this concept: When a cast like this is done, the destination variable simply truncates the source value in such a way that it fits the space. ![]() Warning: conversion to ‘uint16_t’ from ‘uint32_t’ may alter its value These are the situations when the following GCC warning is generated: Vulnerabilities belonging to the first category happen when the code tries to store a value in a variable which is too small (in number of bits) to handle it: a typical situation is when a variable of a given type is casted into another one whose type is smaller than the original one. Now let’s try to imagine what can happen if one of these overflowing integers is used as an index for an array access or to compute the size of buffer to be allocated: the vulnerability could lead to the aforementioned buffer overflows.īlexim’s paper organizes the various scenarios in three main categories: So, the point is that if, for example, an unsigned 16-bit variable contains the value 65534 and we try to add 5 and store the results into the same variable, this one will end up being set to 3: in fact, for a uint16_t, 65535 + 1 = 0 and that’s it.Īn analogous thing can be done, for example, with a char variable: if the variable is set to 125 and we add 10, the variable will be set, at the end, to -121 for the same reason.Ī very similar thing happens also when we try to store a value that is smaller than the minimum the variable can handle: in a uint32_t world, for example, -2147483645 – 40 = +2147483611. Maybe showing it with an example is easier and, in order to do this, it’s important to keep in mind which are the minimum/maximum values a variable can store, according to the size and to the signedness of that very one. Let’s see if I can pay him some credit by trying to report what I learnt.Įssentially, what happens when we try to store in a variable a value greater than the maximum value that variable can handle? Well, the counting continues from the minimum value it can store. In this text, the author shortly describes the vulnerability concept itself and then goes on with some examples. The earliest paper describing this kind of vulnerability is “ Basic Integer Overflows“, written by blexim and dated 2002. How can this be useful? How overflowing an integer can execute arbitrary code? Well, in fact, it can’t by itself, but it can lead to a stack/heap overflow: once there, we’ve already seen what’s possible. In fact, it is triggered whenever the code tries to store into a variable a value greater than the maximum that variable can handle. This article is about a vulnerability that is, at the same time, different and close to the previous ones. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |