Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
10 views15 pages

Integer Overflow Vulnerabilities

Uploaded by

s.b.v.seshagiri1407
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views15 pages

Integer Overflow Vulnerabilities

Uploaded by

s.b.v.seshagiri1407
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Computer Security

CS 426
Lecture 14

Software Vulnerabilities: Format String and


Integer Overflow Vulnerabilities

CS426 Fall 2010/Lecture 14 1


Format string
g pproblem

int func(char *user) {


fprintf( stdout, user);
}

Problem: what if user = “%s%s%s%s%s%s%s” ??


– Most likely program will crash: DoS.
– If not, program will print memory contents. Privacy?
– Full exploit using user = “%n”
Correct form:
int func(char *user) {
fprintf(
p ( stdout,, “%s”,, user);
);
}
CS426 Fall 2010/Lecture 14 2
Format string
g attacks ((“%n”))

• printf(“%n”, &x) will change the value of the


variable x
– in other words, the parameter value on the stack is
interpreted as a pointer to an integer value, and the
place pointed by the pointer is overwritten

CS426 Fall 2010/Lecture 14 3


History
y

• Danger di
D discoveredd iin JJune 2000
2000.
• Examples:
– wu-ftpd 2.* : remote root.
– Linux rpc.statd: remote root
– IRIX telnetd: remote root
– BSD chpass: local root

CS426 Fall 2010/Lecture 14 4


Vulnerable functions
Any function using a format string
string.

Printing:
P i ti
printf, fprintf, sprintf, …
vprintf,
i tf vfprintf,
f i tf vsprintf,
i tf …

Logging:
L i
syslog, err, warn

CS426 Fall 2010/Lecture 14 5


Integer
g Overflow
• Integer overflow: an arithmetic operation attempts to
create a numeric value that is larger than can be
represented within the available storage space.
• Example:
Test 1: Test 2:
short x = 30000; short x = 30000;
short y = 30000; short y = 30000;
printf(“%d\n”, x+y); short z = x + y;
printf(“%d\n”,
printf( %d\n , z);
Will two programs output the same?
What will they output?
CS426 Fall 2010/Lecture 14 6
C Data Types
yp

• short
h t int
i t 16bit
16bits [ 32 768 32
[-32,768; 32,767]
767]
• unsigned short int 16bits [0; 65,535]
• unsigned int 16bits [0; 4,294,967,295]
• Int 32bits
[-2,147,483,648; 2,147,483,647]
• long int 32 bits
[-2,147,483,648; 2,147,483,647]
• signed char 8bits [ 128 127]
[-128;
• unsigned char 8 bits [0; 255]

CS426 Fall 2010/Lecture 14 7


When casting
g occurs in C?

• When
Wh assigning
i i tto a diff
diffreentt ddata
t ttype
• For binary operators +, -, *, /, %, &, |, ^,
– if either operand is an unsigned long, both are cast to
an unsigned long
– in all other cases where both operands are 32-bits or
less, the arguments are both upcast to int, and the
result is an int
• For unary operators
– ~ changes type, e.g., ~((unsigned
(( short)0)
) ) is int
– ++ and -- does not change type

CS426 Fall 2010/Lecture 14 8


Where Does Integer
g Overflow Matter?

• All
Allocating
ti spaces usingi calculation.
l l ti
• Calculating indexes into arrays
• Checking whether an overflow could occur

• Direct causes:
– Truncation; Integer casting

CS426 Fall 2010/Lecture 14 9


Integer Overflow Vulnerabilities
E ample (from Phrack)
Example
int main(int argc
argc, char *argv[]) {
unsigned short s; int i; char buf[80];
if ((argc < 3){ return
t -1;
1 }
i = atoi(argv[1]); s = i;
if( >= 80) { printf(“No
if(s i tf(“N you d
don't!\n");
't!\ ") return
t -1;
1 }
printf("s = %d\n", s);
memcpy(buf,(b f argv[2],
[2] i);
i)
buf[i] = '\0'; printf("%s\n", buf); return 0;
}

CS426 Fall 2010/Lecture 14 10


Integer Overflow Vulnerabilities
E ample
Example
• Example:
E l
const long MAX_LEN = 20K;
Char buf[MAX_LEN];
short len = strlen(input);
if (len < MAX_LEN) strcpy(buf, input);

Can a buffer overflow attack occur?


If so, how long does input needs to be?

CS426 Fall 2010/Lecture 14 11


Another Example
p

i tC
int ConcatBuffers(char
tB ff ( h *buf1,
*b f1 char
h *b
*buf2,
f2
size_t len1, size_t len2)
{
[
char buf[0xFF]; ]
if ((len1 + len2) > 0xFF) return -1;
memcpy(buf buf1,
memcpy(buf, buf1 len1);
memcpy(buf+len1, buf2, len2);
return 0;
}
CS426 Fall 2010/Lecture 14 12
Yet Another Example
p

// Th
The function
f ti is i supposedd to
t return
t false
f l when
h
// x+y overflows unsigned short.
// Does the function do it correctly?
bool IsValidAddition(unsigned short x,
unsigned short y) {
if ((x+y
+ < x))
return false;
return true;
}
CS426 Fall 2010/Lecture 14 13
Readings
g for This Lecture

• Wikipedia
• Format string attack
• Integer
I t overflow
fl

CS426 Fall 2010/Lecture 14 14


Coming
g Attractions …

• Malwares
M l

CS426 Fall 2010/Lecture 14 15

You might also like