Basic integer overflows
Creation time: 2002-12-31
Article properties: reprint
Article submission:
Xundi (xundi_at_xfocus.org)
Volume 0x0b, Issue 0x3c, Phile # 0x0a of 0x10
| = -------------------- = [Basic Integer Overflows] = --------------------- - = |
| = ------------------------------------------------ ----------------------- = |
| = ------------------- = [by blexim
Chinese translation: SAM @ sst
AirSupply @ sst
1: Directory
1.1 What is an integer?
1.2 What is an integer overflow?
1.3 Why is it dangerous?
2: Integer overflow
2.1 Widthness overflow
2.1.1 Exploiting
2.2 Arithmetic (AritHmetic) overflow
2.2.1 Exploiting
3: Question of symbol type
3.1 What do they look like?
3.1.1 Exploiting
3.2 Symbol type Problems resulting in integer overflow
4: Real example
4.1 integer overflow class
4.2 Symbol problem class
Translator language:
Preface:
Some safety issues in recent emerged are about integer overflow issues, such as SSH CRC32 remote overflow vulnerabilities in the previous time.
Apache chunked vulnerability, OpenSSH Challenge-Response mechanism remote overflow vulnerability, all overflows from integer
The buffer overflow problem, although the integer overflow is indirectly caused some buffer overflow problems, but is also a newer technology.
And in the next few years, there will be more and more problems in this class. The latest phrack60 is just talking about the integer overflow.
Some techniques, the blood of the card has been translated this article.
Since the author's English is very bad, the article may translate it is not very in place. I hope that you will help the ax.
thank:
Thanks to my girlfriend to help me translate this article. All members of SST.:>
About SST:
A group of people who are very hot are coming together because I worship Black Hat.
SAM @ SST
- [1.0 directory
In this article, I will tell two kinds of problems caused by unsafe programming, resulting in some malicious users to modify the affected process.
Change the program execution process. These two types of problems are because a program variable contains an unpredictable value, so this type
The problem is different from those of those program memory being rewritten, such as buffer overflow, formatted overflow. Samples given in all articles
The children are written in C language, so they need readers to be familiar with C language. Some integers are also helpful in memory methods.
, But not all.
---- [1.1 What is an integer?
An integer, within the calculation range, it is a variable might be a real number without a fraction. After the system is compiled, it is compiled.
The size of the integer and pointers is generally the same (for example: in a 32-bit system, such as i386, one integer is 32-byte length, at 64-bit
In the system, such as SPARC, an integer is 64-byte length). However, some compilers do not make the integer and pointers as the same size, so
It is easy to understand, all of which talk here is the 32-bit system environment and 32-bit integers, lengths, and pointers.
Integer, like all variables are just a region of memory, when we talk about integers, we usually use 10 credits to represent them.
In other words, it is a coding method that people often use. The computer is based on the number, cannot directly handle the 10 credits, so
The integer in the computer is stored in a 2-way manner. 2 is another coding method, and they only have 2 numbers, 1 and 0, and different
10 feed is expressed in 10 numbers. 2 binding and 10 benefits, 16-based is a widely used conversion 2 binding and 16 credits that can be used in the computer.
Because the storage negative number is usually necessary, this requires a mechanism only to represent a negative number, which has been completed, passed
The highest for a variable determines the positive and negative. If the highest position 1, this variable is explained as a negative number; if 0, this variable explains
For integers. This will cause some confusion, which can explain some concepts of some symbol type, because not all variables are symbol
The point of interest is that not all types need to use MSB to distinguish between positive and negative. These variables are defined as unsigned, it can only
It is given a positive value. If the variable can be negative, it can be said to be correct.
---- [1.2 What is an integer overflow?
Since an integer is a fixed length (using 32 digits in this article), it can store the maximum value is fixed.
Try to store a maximum greater than this fixed maximum, will cause an integer overflow. In the standard of ISO C99
To integer overflow will lead to "unspeakable behavior", that is, the compiler complies with this rule, that is, completely ignored
Overflow and exited this program. Many compilers seem to ignore this overflow, the result is an unexpected error value being stored.
---- [1.3 Why is it dangerous?
Integer overflows cannot be immediately perceived, so there is no way to use an application to determine whether the result of the previous calculation is
It is also true. If it is used to calculate the size of the buffer or calculate the distance of the array index arrangement, this will change.
Of course, many integer overflows are not available because they have not directly rewritten memory, but sometimes they can lead to others.
Type BUGS, buffer overflow, etc. Moreover, integer overflow is difficult to discover, so even if the audited code will result in accidents.
- [2.0 integer overflow
So what happens when an integer overflow has happened? ISO C99 is said:
"A Computation Involving unsigned Operands Can Never overflow,
Because a result That Cannot Be Reresented by the resulting unsigned
Integer Type Is Reduced Modulo The Number That Is One Greater Than
The Largest Value That Can Be REPRESENTED by The Resulting Type. "
Translator Note:
The rough meaning is:
Never overflow when the unsigned operand is calculated, because the result cannot be represented by unsigned types,
It is compared to the maximum number of largest values that can be expressed. This will use this result to represent this type.
Nb: The mode of operation is 2 numbers to remove the value of the balance.
example:
10 MODULO 5 = 0
11 MODULO 5 = 1
So in reducing the weight method, a large number is molded (maximum int value 1), in the C language, the symbol of the mold operation is%.
There is a byte here, which may be a good symbolic example to prove what we say "leads to uncertain behavior."
We have 2 unsigned integers, A and B, 2 numbers of 32-bit word, we assign a maximum of 32 for integers,
B is assigned 1. Then we add A and B to then store the result to the third unsigned 32-bit integer R:
A = 0xfffffffffff
B = 0x1
R = a b
Now, when the result added, the value cannot be represented by a value of 32-bit, as a result, in order to be consistent with ISO standard, and 0x100000000
Take the mold.
R = (0xfffffffff 0x1)% 0x100000000
R = (0x100000000)% 0x100000000 = 0
The molding algorithm to reduce the weight method can only calculate the calculation result of less than 32 bits, so the integer overflow causes the results to be truncated into a range.
This result is usually stored in a variable. This is often referred to as a "surround" (translator Note: "Note in similar idioms"
It means that in this article, we understand that a positive number is high, it will become a negative number, and the negative number is small to become a positive number).
As the result of this, there is a surrounding to 0.
---- [2.1 widthness overflow
Therefore, integer overflow is to try to store a large number into a variable, because this variable is too small enough to store the neum that is caused by the large number.
Fruit. Use the simplest example to explain this problem, store a large variable to a small variable:
/ * EX1.C - Loss of Precision * /
#include
INT main (void) {
Int L;
Short S;
Char C;
L = 0xdeAdbeef;
s = L;
C = L;
Printf ("L = 0x% x (% D Bits) / N", L, SIZEOF (L) * 8);
Printf ("S = 0x% x (% D BITS) / N", S, SIZEOF (S) * 8);
Printf ("C = 0x% x (% D BITS) / N", C, SIZEOF (C) * 8);
Return 0;
} / * EOF * /
Let us see the execution result
Nova: Signed {48} ./ex1
L = 0xdeadbeef (32 bits)
s = 0xffffbeef (16 bits)
C = 0xffffffef (8 bits)
When we put a large variable into a small variable storage area, the result is that only a small variable can store, while other bits
They are tried.
It is necessary to mention the integer carry here. When a calculation contains different operands, the smaller operand will be carried out to
Larger operand. If the result will be stored in a smaller variable, this result will be reissued until a smaller operand
Can accommodate.
This example:
INT I;
Short S;
s = i;
The calculation results here will be assigned to a different size operand, and the variable S is increased to a integer (32 bits), then integer i
The content is copied to the new increase S, then the increase in variable content is reduced to 16 bits in order to exist S. If S can exceed S
The maximum decrease in storage will result in a result.
------ [2.1.1 Exploiting
Integer overflow is not like a normal vulnerability type, which does not allow direct rewrite memory or directly changing the program's control flow. But more delicate.
The fact that the owner of the program is that there is no way to check the results after the process, so it is possible to calculate the results and correct
There is a certain deviation between the results. Because of this, most integer overflows cannot be utilized, even if so, in some cases, we are still possible
Forcing a variable contains the wrong value to appear in the following code.
Since these vulnerabilities are ingenious, there are a lot of place to be utilized, so I don't try to cover all the environments that can be utilized. On the contrary
I will provide some situations that can be used, I hope readers can explore themselves. I will provide some examples of situations that can be utilized.
EXAMPLE 1:
/ * Width1.c - Exploiting a trivial widthnes bug * /
#include
#include
INT Main (int Argc, char * argv []) {
UNSIGNED SHORT S;
INT I;
Char buf [80];
IF (argc <3) {
Return -1;
}
I = ATOI (Argv [1]);
s = i;
IF (s> = 80) {/ * [w1] * /
Printf ("OH no you don't! / n");
Return -1;
}
Printf ("s =% d / n", s);
Memcpy (buf, Argv [2], i);
BUF [I] = '/ 0';
Printf ("% S / N", BUF);
Return 0;
}
However, like this structure may never appear in real code. Here is just a simple example, let us see the execution output:
Nova: Signed {100} ./width1 5 Hello
S = 5
Hello
Nova: Signed {101} ./width1 80 Hello
Oh no you don't!
Nova: Signed {102} ./width1 65536 Hello
s = 0
Segmentation Fault (Core Dumped)
The program is obtained from the command line parameter to store the shaped variable I, and when this value is given the unsigned shert type
Integer S, if this value is greater than the Unsigned Short type can be stored, (for example, this value is greater than 65535,
The range of unsigned short storage is 0 - 65535), due to the secondary detection of the [W1] part of the code, resulting in buffering
The district overflows. As long as the general stack overflow technology can overflow the use of this program.
---- [2.2 Arithmetic "overflow
In the 2.0 section, this value will be truncated if an integer to integer variables larger than the maximum value of the integer variable is. Such as
The save value is an operational operation, and any part of the program that is later using this result will run the wrong run because this calculation
The fruit is incorrect. This explanation of "surround" explanation:
/ * EX2.C - an integer overflow * /
#include
INT main (void) {
Unsigned int num = 0xffffffffffffff;
Printf ("NUM IS% D BITS Long / N", SIZEOF (NUM) * 8);
Printf ("NUM = 0x% x / n", NUM);
Printf ("NUM 1 = 0x% x / n", NUM 1);
Return 0;
}
/ * EOF * /
The result of the program execution:
Nova: signed {4} ./ex2
Num IS 32 BITS Long
Num = 0xfffffffff
NUM 1 = 0x0
Note:
Smart readers may notice that 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff is.
At the same time, this is a way to see what it is doing, may cause some confusion, because this variable is unsigned here,
So all its calculations are unsigned. When it happens, many integer overflows are dependent on the symbol operation, just below this
Example (2 operands are 32-bit variables):
-700 800 = 100
0xffffd44 0x320 = 0x100000064
Since the result of the added results exceeds the range of integer variables, the smallest 32 bits will be used as a result. These minimal
The 32-bit is 0x64, which is equivalent to a decimal 100.
If an integer default is a symbol, an integer overflow can cause this symbol change, which will have a subsequent code.
Fun effect. As this example below:
/ * EX3.C - Change of Signedness * /
#include
INT main (void) {
Int L;
L = 0x7fffffff;
Printf ("L =% D (0x% x) / N", L, L);
Printf ("L 1 =% D (0x% x) / N", L 1, L 1);
Return 0;
}
/ * EOF * /
Program execution results:
Nova: Signed {38} ./ex3
L = 2147483647 (0x7fffffff)
L 1 = -2147483648 (0x80000000) Here the integer is initialized to the highest-to-highest symbolic long shape, when it is 1, it is important one byte
(Sign Sign Bit) is reset, this integer will be interpreted as a negative number. The addition is not just an operation method, it can guide
To an integer overflow, almost any of the values of the value of the variable will trigger an integer overflow, just as follows:
/ * EX4.C - VARIOUS ARITHMETIC overflows * /
#include
INT main (void) {
INT L, X;
l = 0x40000000;
Printf ("L =% D (0x% x) / N", L, L);
X = L 0xC0000000;
Printf ("L 0xC0000000 =% D (0x% x) / n", x, x);
X = l * 0x4;
Printf ("L * 0x4 =% D (0x% x) / n", x, x);
X = L - 0xfffffffff;
printf ( "l - 0xffffffff =% d (0x% x) / n", x, x);
Return 0;
}
/ * EOF * /
Output:
Nova: signed {55} ./ex4
L = 1073741824 (0x40000000)
L 0xC0000000 = 0 (0x0)
l * 0x4 = 0 (0x0)
L - 0xfffffffff = 1073741825 (0x40000001)
The addition causes an integer overflow, which is just the same as the first example. Next is a multiplication operation, although it seems different.
In these 2 examples, the calculation results are too large to be saved into an integer, so it is shortened, just as the above, the subtraction is slightly
Some differences, because it causes it to overflow, not overflow. If you try to store a smaller value smaller than the minimum of the integer, it will
It causes a "surround". In this way, we can force to change a addition to subtraction, a multiplication becomes division, or a subtraction becomes an addition.
------ [2.2.1 Exploiting
The most common method that the numerical overflow can be utilized is when the calculation result is used to assign how much buffer. Usually one program must allocate space
Give an array object, so keep the space with Malloc (3) or Calloc (3) function and multiply the size of the object with an element.
Calculate how much space is needed. As mentioned earlier, if we control one of these operands (the number of elements or the size of the object),
We may be able to cause the wrong distribution buffer, the next code snippet reflects this:
INT MyFunction (int * array, int LEN) {
INT * myarray, i;
MyArray = malloc (len * sizeof (int)); / * [1] * /
IF (MyArray == Null) {
Return -1;
}
For (i = 0; i MyArray [i] = array [i]; } Return myarray; } This seems that the harmless function can bring the crash of the system because there is no check of the LEN parameters. By providing a sufficient value by providing a large value at (1) Give the LEN, the multiplication operation can be overflow so we will control the size of the buffer. By selecting a suitable value to Len, we Behind the loop write buffer at (2), which results in a HEAP overflow. The control structure of Malloc can be in positive Often inserting an executable code inside, but this is beyond the scope of this article. another example: Int catvars (char * buf1, char * buf2, unsigned int LEN1, Unsigned int LEN2) { CHAR MYBUF [256]; IF ((len1 len2)> 256) {/ * [3] * / return -1; } Memcpy (MyBuf, BUF1, LEN1); / * [4] * / Memcpy (MyBuf LEN1, BUF2, LEN2); Do_some_stuff (mybuf); Return 0; } In this example, the inspection at Len1 and Len2 can be deceived by giving the appropriate value, which will cause the addition to overflow and A low value. For an example, look at the following value: Len1 = 0x104 Len2 = 0xffffffc When adding together, a result containing 0x100 (integer 256), which can pass (3) inspection, then at (4) Memcpy (3) will copy data to the back of the buffer. - [3 symbol problem When an unsigned variable is seen as a symbol, or when a symbolic variable is seen as an unsigned symbol, the symbol is asked. The problematic vulnerability occurs. This type of reaction occurs because there is a symbolic variable and unsigned variable storage inside the computer. There is no difference. Recently, some symbolic vulnerabilities occur in the kernel of FreeBSD and OpenBSD, so we can Easy to exemplify many examples. ---- [3.1 What do they look like? Symbol issues can be varied, but should pay attention to the following: Out for area: Comparison of symbol integers Operation operation with symbol integers No symbol integer and comparison with symbol integers. Here is a typical example of the vulnerability of symbols: INT COPY_SMETHING (Char * BUF, INT LEN) { Char kbuf [800]; IF (Len> Sizeof (KBUF)) {/ * [1] * / Return -1; } Return Memcpy (KBUF, BUF, LEN); / * [2] * / } The problem here is that Memcpy uses unsigned integers as the LEN parameter, but the previous data ground detection is used. Integer, we can provide a negative LEN, which can bypass [1], but this value is also used in [2] Memcpy letter Inside the number of parameters, LEN may be converted into a very large positive integer, causing data behind the KBUF buffer being rewritten. When calculating operation, there is a symbol and unsigned confusion that may generate another problem, refer to this example below: Int Table [800]; INT INSERT_IN_TABLE (Int Val, INT POS) { IF (POS> SIZEOF (Table) / sizeof (int)) { Return -1; } Table [POS] = VAL; Return 0; } Because of this line Table [POS] = VAL; equal * (Table (POS * SIZEOF (int))) = VAL; We can see that the problem here is that the code is not expected to have a negative operand in the addition, it is expected (Table POS) is bigger than Table, so providing a negative POS value will cause the program's health to do, so it is not possible Standard running. ------ [3.1.1 Exploiting This type of vulnerability wants to be used or problematic, because when the symbolic integer is converted into an unsigned integer, this The value will change very much, such as: -1 is expressed as 0xfffffffff with 16-based binding. When it is converted into a symbol, its value Use integers to represent (4, 294, 967, 295), if this value is passed to a function similar to Memcpy (Memcpy (char * DEST, CHAR * SRC, INT LEN, MEMCPY This type of function will only be single execute data from the LEN size from the SRC. In Dest, don't consider whether DEST can accommodate, or if the SRC can take so much data). MEMCPY function will try Copying nearly 4GB of data to the purpose buffer. It is obvious that this will lead to the paragraph error, even if it will not, it will only make the stack full of garments. Popular data. Sometimes, by passing a small value to the source address, this is not always possible. ---- [3.2 Symbol Problem The buffer overflow may sometimes overflow an integer and cause a negative number. Since the application is not expected to get such a value, then It may trigger a symbol vulnerability as described above. An example of such a type of vulnerability: INT GET_TWO_VARS (int suck, char * out, int LEN) { Char BUF1 [512], BUF2 [512]; Unsigned int size1, size2; Int size; IF (RECV (Sock, BUF1, SIZEOF (BUF1), 0) <0) { Return -1; } IF (RECV (SOCK, BUF2, SIZEOF (BUF2), 0) <0) { Return -1; } / * packet begins with longeth information * / Memcpy (& Size1, BUF1, SIZEOF (INT); Memcpy (& size2, buf2, sizeof (int)); SIZE = Size1 Size2; / * [1] * / IF (size> len) {/ * [2] * / Return -1; } Memcpy (OUT, BUF1, SIZE1); Memcpy (Out Size1, BUF2, SIZE2); Return size; } This example shows us sometimes happening in the network background program, especially when Length information is passed from part of the network packet. (In other words: may be a data submitted by an unknown user), the addition of [1], used to check the data does not exceed the range of the OUT buffer, set SIZE1 Plus the SIZE2 plus a large value, this value can cause the size variable to surround a negative number. Extrustory value may be: Size1 = 0x7fffffff Size2 = 0x7fffffff (0x7FFFFFF 0x7FFFFFFF = 0xffffffe (-2)). When the above operation is performed, the off -ral detection of [2] is bypassed, and the data that causes many OUT buffers is intentionally rewritten (in fact: is any memory being rewritten, In the target parameters of (OUT SIZE1), we can control, allow us to point to any memory area). This vulnerability is as long as the accurate construction data is the useful, and the vulnerability of the symbol type problem is also a problem - such as the resulting negative value. Explain into a very large positive integer, it will easily lead to paragraph errors when executing Memcpy, but this type of problem can use BSD Memcpy to copy Principle is used. - [4 real example There are many real-world applications that include integer overflow and symbolic issues, including network background programs, operating system kernels. example of. ---- [4.1 integer overflow Here is an example in security modules from Linux kernel (not available), this code is running in the kernel: INT RSBAC_ACL_SYS_GROUP (Enum RSBAC_ACL_GROUP_SYSCALL_TYPE_T CALL, Union RSBAC_AONL_GROUP_SYSCALL_ARG_T ARG) { ... Switch (Call) { CASE ACLGS_GET_GROUP_MEMBERS: IF ((arg.get_group_members.maxnum <= 0) / * [A] * / ||! arg.get_group_members.group ) { ... RSBAC_UID_T * User_Array; RSBAC_TIME_T * TTL_ARRAY; User_Array = Vmalloc (SIZEOF (* User_Array) * arg.get_group_members.maxnum); / * [b] * / IF (! User_Array) Return -rsbac_enomem; TTL_ARRAY = Vmalloc (SIZEOF (* TTL_Array) * arg.get_group_members.maxnum); / * [c] * / IF (! TTL_Array) { VFree (user_array); Return -rsbac_enomem; } Err = RSBAC_ACL_GET_GROUP_MEMBERS (arg.get_group_members.group, User_Array, TTL_Array, arg.get_group_members.max Num); ... } In this example, [a] data-proof check section cannot be sufficient to prevent [b] [c] can cause an integer overflow to be overflow, bypass this check. Provides a value sufficiently high (such as: above 0xfffffffff / 4) to arg.get_group_members.maxnum, we can The [B] and [C] and the integer overflow multiplied by this value, and the buffer allocated by TTL_Array and User_Array is less than the program The expected size. Therefore, the RSBAC_ACL_GET_GROUP_MEMBERS function copies the data we can control to this buffer, possibly Change some of the data behind the buffer pointing to TTY_ARRAY and USER_ARRAY. Here, Vmalloc allocation buffer is used in the program. The area, so some data behind the buffer pointing to rewrite TTY_ARRAY and USER_ARRAY is only caused by an error, so It can't be used, despite this, it provides an example to remind us to write code in real life to pay attention to these issues. Another example is a problem with an integer overflow vulnerability in the XDR_Array () function belled in the Sun RPC XDR library (see i SS X-FORCE security announcement). In this example, the data submitted by the user is used to calculate the size of the dynamically assigned buffer, the buffer Used to store data submitted by the user, see the following code: BOOL_T XDR_Array (XDRS, ADDRP, SIZEP, MAXSIZE, ELSIZE, ELPROC) XDR * XDRS; CADDR_T * Addrp; / * array pointer * / U_INT * SIZEP; / * NUMBER OF Elements * / U_INT MAXSIZE; / * MAX NUMBEROF Elements * / U_INT ELSIZE; / * SIZE IN BYTES OF Each ELEMENT * / XDrProc_t elproc; / * xdr routine to Handle Each ELEMENT * / { U_INT I; CADDR_T TARGET = * Addrp; U_INT C; / * THE ACTUAL ELEMENT COUNT * / BOOL_T Stat = true; U_INT NODESIZE; ... C = * sizep; IF ((c> maxsize) && (xdrs-> x_op! = xdr_free)) { Return False; } Nodesize = c * elsize; / * [1] * / ... * addrp = target = MEM_ALLOC (NODESIZE); / * [2] * / ... For (i = 0; (i { Stat = (* elProc) (xDRS, Target, Lastunsigned); / * [3] * / Target = Elsize; } As you can see, when a large value is provided to elsize and c (sizep), it may cause [1] multiplication operation to cause an integer overflow, and Making the value of the NodeSize is smaller than the value expected in the application, since NodeSize is used for buffer allocation operations of [2], the buffer will be misfilted by the error, resulting in the overflow of [3]. More about this Information about the vulnerability, see the reference information in the CERT security consultation announcement. --- Add by Sam @ SST There is also a typical example of integer overflow results in a typical example of the incaps, OpenSSH Challenge-Response SKEY / BSD_AUTH Remote Buffer overflow vulnerability. The following this section has a problem code from the input_userauth_info_response () function in auth2-chall.c in OpenSSH: Unsigned int Nresp, nresp = packet_get_int (); IF (nresp> 0) { Response = xmalloc (nresp * sizeof (char *)); [1] For (i = 0; i Response [i] = packet_get_string (null); } Packet_get_int is a int value from the data submitted from the user, saving in the integer variable NRESP, because the multiplier in [1] will lead to exceptions in the program (In a 32-bit system environment, the maximum value of UnsiGend Int is 0xfffffffff, and we only provide value of 0xFffffff / 4, such as 0x40000000). The program executes Operation. For example: 0x40000000 1 (value of NRESP) = 0x40000001 (Meet Nresp> 0 requirements) 0x40000001 * 4 (Buffer space assigned nresp * 4) = 0x100000004 (The calculation result has exceeded 32-bit values) Since the above value has exceeded 32-bit values, it will be truncated to be 0x00000004. That is to say, in fact, Xmalloc only assigns four bytes of buffer space on the heap. Next FOR cycle operation: For (i = 0; i <0x40000001; i ) Response [i] = packet_get_string (null); The packet_get_string function reads the address of the 4 bytes from the user data. The address of the RESPONSE i is written. After the 0x400000000 loop, the user's data has already been overwritten. The 4-byte space of Xmalloc is originally assigned and the following data (such as the function pointer allocated in the HEAP zone). ---- [4.2 Vulnerabilities " Recently, the vulnerability of several FreeBSD kernel symbols has brought us a light. These vulnerabilities exist in many system calls, When a negative length parameter is provided to these system, you can bypass the restriction of reading large block kernel memory. GetPeerName (2) The function has this problem, as follows: Static int GetPeername1 (p, uap, compat) Struct Proc * P; Register struct getpeername_args / * { Int fdes; CADDR_T ASA; Int * alen; } * / * UAP; int COMPAT; { Struct file * fp; Register struct socket * so; Struct sockaddr * sa; INT LEN, Error; ... Error = Copyin ((CADDR_T) UAP-> Alen, (CADDR_T) & Len, Sizeof (LEN)); IF (error) { FDROP (fp, p); Return (Error); } ... Len = min (LEN, SA-> SA_LEN); / * [1] * / Error = COPYOUT (SA, (CADDR_T) UAP-> ASA, (U_INT) LEN); if (error) Goto Bad; Gotnothing: Error = COPYOUT ((Caddr_t) & len, (CADDR_T) UAP-> alen, sizeof (len)); Bad: IF (SA) Free (sa, m_soname); FDROP (fp, p); Return (Error); } This is a famous example for symbolic vulnerabilities - the test of (1) does not take the Len may be a negative fact, in this example, The MIN macro will return to LEN. When this negative parameter passes it to the Copyout function, it will be explained as a huge priority causes Copyout The function is copied nearly 4GB of kernel memory to user space. --[ in conclusion Integer overflow is very dangerous, partly because it is impossible to discover after the occurrence. If an integer overflows, the application doesn't know its The calculation is wrong. Therefore, the application will continue to run in the case of assume that it is correct. Even so, the integer overflow is still difficult to use. It is often almost impossible. They can cause unexpected results, in a safe system, this result is definitely not a good thing. - [Reference material CERT Advisory on the xdr bug: Http://www.cert.org/advisories/ca-2002-25.html FreeBSD Advisory: http://online.securityfocus.com/advisories/4407 Phrack60 is another article on integer overflow: http://www.phrack.org/phrack/60/p60-0x09.txt SSHUTUP-theo.tar.gz http://online.securityfocus.com/data/vulnerabilities/exploits/sshutup-theo.tar.gz | = [EOF] = ------------------------------------------------------------------------------------------------------------------------ ------------------- = |
