Basic Integer Overflows.docx
《Basic Integer Overflows.docx》由会员分享,可在线阅读,更多相关《Basic Integer Overflows.docx(20页珍藏版)》请在冰豆网上搜索。
![Basic Integer Overflows.docx](https://file1.bdocx.com/fileroot1/2023-1/21/e6d214ea-7412-43db-856c-b6239fe70601/e6d214ea-7412-43db-856c-b6239fe706011.gif)
BasicIntegerOverflows
File:
archives/60/p60_0x0a_BasicIntegerOverflows_by_blexim.txt
==PhrackInc.==
Volume0x0b,Issue0x3c,Phile#0x0aof0x10
|=--------------------=[BasicIntegerOverflows]=----------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------=[byblexim]=-------------------=|
1:
Introduction
1.1Whatisaninteger?
1.2Whatisanintegeroverflow?
1.3Whycantheybedangerous?
2:
Integeroverflows
2.1Widthnessoverflows
2.1.1Exploiting
2.2Arithmeticoverflows
2.2.1Exploiting
3:
Signednessbugs
3.1Whatdotheylooklike?
3.1.1Exploiting
3.2Signednessbugscausedbyintegeroverflows
4:
Realworldexamples
4.1Integeroverflows
4.2Signednessbugs
--[1.0Introduction
InthispaperI'mgoingtodescribetwoclassesofprogrammingbugswhich
cansometimesallowamalicioususertomodifytheexecutionpathofan
affectedprocess.Bothoftheseclassesofbugworkbycausingvariables
tocontainunexpectedvalues,andsoarenotas"direct"asclasseswhich
overwritememory,e.g.bufferoverflowsorformatstrings.Allthe
examplesgiveninthepaperareinC,soabasicfamiliaritywithCis
assumed.Aknowledgeofhowintegersarestoredinmemoryisalsouseful,
butnotessential.
----[1.1Whatisaninteger?
Aninteger,inthecontextofcomputing,isavariablecapableof
representingarealnumberwithnofractionalpart.Integersaretypically
thesamesizeasapointeronthesystemtheyarecompiledon(i.e.ona32
bitsystem,suchasi386,anintegeris32bitslong,ona64bitsystem,
suchasSPARC,anintegeris64bitslong).Somecompilersdon'tuse
integersandpointersofthesamesizehowever,soforthesakeof
simplicityalltheexamplesrefertoa32bitsystemwith32bitintegers,
longsandpointers.
Integers,likeallvariablesarejustregionsofmemory.Whenwetalk
aboutintegers,weusuallyrepresentthemindecimal,asthatisthe
numberingsystemhumansaremostusedto.Computers,beingdigital,cannot
dealwithdecimal,sointernallytothecomputerintegersarestoredin
binary.Binaryisanothersystemofrepresentingnumberswhichusesonly
twonumerals,1and0,asopposedtothetennumeralsusedindecimal.As
wellasbinaryanddecimal,hexadecimal(basesixteen)isoftenusedin
computingasitisveryeasytoconvertbetweenbinaryandhexadecimal.
Sinceitisoftennecessarytostorenegativenumbers,thereneedstobea
mechanismtorepresentnegativenumbersusingonlybinary.Thewaythisis
accomplishedisbyusingthemostsignificantbit(MSB)ofavariableto
determinethesign:
iftheMSBissetto1,thevariableisinterpretedas
negative;ifitissetto0,thevariableispositive.Thiscancausesome
confusion,aswillbeexplainedinthesectiononsignednessbugs,because
notallvariablesaresigned,meaningtheydonotallusetheMSBto
determinewhethertheyarepositiveornegative.Thesevariableareknown
asunsignedandcanonlybeassignedpositivevalues,whereasvariables
whichcanbeeitherpositiveornegativearecalledunsigned.
----[1.2Whatisanintegeroverflow?
Sinceanintegerisafixedsize(32bitsforthepurposesofthispaper),
thereisafixedmaximumvalueitcanstore.Whenanattemptismadeto
storeavaluegreaterthanthismaximumvalueitisknownasaninteger
overflow.TheISOC99standardsaysthatanintegeroverflowcauses
"undefinedbehaviour",meaningthatcompilersconformingtothestandard
maydoanythingtheylikefromcompletelyignoringtheoverflowtoaborting
theprogram.Mostcompilersseemtoignoretheoverflow,resultinginan
unexpectedorerroneousresultbeingstored.
----[1.3Whycantheybedangerous?
Integeroverflowscannotbedetectedaftertheyhavehappened,sothereis
notwayforanapplicationtotellifaresultithascalculatedpreviously
isinfactcorrect.Thiscangetdangerousifthecalculationhastodo
withthesizeofabufferorhowfarintoanarraytoindex.Ofcourse
mostintegeroverflowsarenotexploitablebecausememoryisnotbeing
directlyoverwritten,butsometimestheycanleadtootherclassesofbugs,
frequentlybufferoverflows.Aswellasthis,integeroverflowscanbe
difficulttospot,soevenwellauditedcodecanspringsurprises.
--[2.0Integeroverflows
Sowhathappenswhenanintegeroverflowdoeshappen?
ISOC99hasthisto
say:
"Acomputationinvolvingunsignedoperandscanneveroverflow,
becausearesultthatcannotberepresentedbytheresultingunsigned
integertypeisreducedmodulothenumberthatisonegreaterthan
thelargestvaluethatcanberepresentedbytheresultingtype."
NB:
moduloarithmeticinvolvesdividingtwonumbersandtakingthe
remainder,
e.g.
10modulo5=0
11modulo5=1
soreducingalargevaluemodulo(MAXINT+1)canbeseenasdiscardingthe
portionofthevaluewhichcannotfitintoanintegerandkeepingtherest.
InC,themodulooperatorisa%sign.
Thisisabitwordy,somaybeanexamplewillbetterdemonstratethe
typical"undefinedbehaviour":
Wehavetwounsignedintegers,aandb,bothofwhichare32bitslong.We
assigntoathemaximumvaluea32bitintegercanhold,andtobweassign
1.Weaddaandbtogetherandstoretheresultinathirdunsigned32bit
integercalledr:
a=0xffffffff
b=0x1
r=a+b
Now,sincetheresultoftheadditioncannotberepresentedusing32bits,
theresult,inaccordancewiththeISOstandard,isreducedmodulo
0x100000000.
r=(0xffffffff+0x1)%0x100000000
r=(0x100000000)%0x100000000=0
Reducingtheresultusingmoduloarithmeticbasicallyensuresthatonlythe
lowest32bitsoftheresultareused,sointegeroverflowscausethe
resulttobetruncatedtoasizethatcanberepresentedbythevariable.
Thisisoftencalleda"wraparound",astheresultappearstowraparound
to0.
----[2.1Widthnessoverflows
Soanintegeroverflowistheresultofattemptingtostoreavalueina
variablewhichistoosmalltoholdit.Thesimplestexampleofthiscan
bedemonstratedbysimplyassigningthecontentsoflargevariabletoa
smallerone:
/*ex1.c-lossofprecision*/
#include
intmain(void){
intl;
shorts;
charc;
l=0xdeadbeef;
s=l;
c=l;
printf("l=0x%x(%dbits)\n",l,sizeof(l)*8);
printf("s=0x%x(%dbits)\n",s,sizeof(s)*8);
printf("c=0x%x(%dbits)\n",c,sizeof(c)*8);
return0;
}
/*EOF*/
Theoutputofwhichlookslikethis:
nova:
signed{48}./ex1
l=0xdeadbeef(32bits)
s=0xffffbeef(16bits)
c=0xffffffef(8bits)
Sinceeachassignmentcausestheboundsofthevaluesthatcanbestoredin
eachtypetobeexceeded,thevalueistruncatedsothatitcanfitinthe
variableitisassignedto.
Itisworthmentioningintegerpromotionhere.Whenacalculation
involvingoperandsofdifferentsizesisperformed,thesmalleroperandis
"promoted"tothesizeofthelargerone.Thecalculationisthen
performedwiththesepromotedsizesand,iftheresultistobestoredin
thesmallervariable,theresultistruncatedtothesmallersizeagain.
Forexample:
inti;
shorts;
s=i;
Acalculationisbeingperformedwithdifferentsizedoperandshere.What
happensisthatthevariablesispromotedtoanint(32bitslong),then
thecontentsofiiscopiedintothenewpromoteds.Afterthis,the
contentsofthepromotedvariableare"demoted"backto16bitsinorderto
besavedins.Thisdemotioncancausetheresulttobetruncatedifitis
greaterthanthemaximumvaluescanhold.
------[2.1.1Exploiting
Integeroverflowsarenotlikemostcommonbugclasses.Theydonotallow
directoverwritingofmemoryordirectexecutionflowcontrol,butaremuch
moresubtle.Therootoftheproblemliesinthefactthatthereisnoway
foraprocesstochecktheresultofacomputationafterithashappened,
sotheremaybeadiscrepancybetweenthestoredresultandthecorrect
result.Becauseofthis,mostintegeroverflowsarenotactually
exploitable.Evenso,incertaincasesitispossibletoforceacrucial
variabletocontainanerroneousvalue,andthiscanleadtoproblemslater
inthecode.
Becauseofthesubtletyofthesebugs,thereisahugenumberofsituations
inwhichtheycanbeexploited,soIwillnotattempttocoverall
exploitableconditions.Instead,Iwillprovideexamplesofsome
situationswhichareexploitable,inthehopeofinspiringthereaderin
theirownresearch:
)
Example1:
/*width1.c-exploitingatrivialwidthnessbug*/
#include
#include
intmain(intargc,char*argv[]){
unsignedshorts;
inti;
charbuf[80];
if(argc<3){
return-1;
}
i=atoi(argv[1]);
s=i;
if(s>=80){/*[w1]*/
printf("Ohnoyoudon't!
\n");
return-1;
}
printf("s=%d\n",s);s<=79
memcpy(buf,argv[2],i);
buf[i]='\0';
printf("%s\n",buf);
return0;
}
Whileaconstructlikethiswouldprobablynevershowupinreallifecode,
itserveswellasanexample.Takealookatthefollowinginputs:
nova:
signed{100}./width15hello
s=5
hello
nova:
signed{101}./width180hello
Ohnoyoudon't!
nova:
signed{102}./width165536hello
s=0
Segmentationfault(coredumped)
Thelengthargumentistakenfromthecommandlineandheldintheinteger
i.Whenthisvalueistransferredintotheshortintegers,itis
truncatedifthevalueistoogreattofitintos(i.e.ifthevalueis
greaterthan65535).Becauseofthis,itispossibletobypassthebounds
checkat[w1]andoverflowthebuffer.Afterthis,standardstacksmashing
techniquescanbeusedtoexploittheprocess.
---