Sunday, January 28, 2024

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










Related posts
  1. Pentest Tools Linux
  2. Pentest Tools For Ubuntu
  3. Hacker Techniques Tools And Incident Handling
  4. Tools Used For Hacking
  5. Hacks And Tools
  6. Hack Tools Github
  7. Hack Tool Apk No Root
  8. Hack Tools
  9. Hacker Search Tools
  10. Hacking Tools Github
  11. Best Pentesting Tools 2018
  12. Pentest Tools Find Subdomains
  13. Hacker Tools Software
  14. Hacks And Tools
  15. Hack Tools Github
  16. Easy Hack Tools
  17. Hack Tools
  18. How To Hack
  19. Hacker Tools Mac
  20. Pentest Reporting Tools
  21. Hack Tools 2019
  22. Pentest Tools Find Subdomains
  23. Physical Pentest Tools
  24. Pentest Tools Website
  25. Pentest Tools Kali Linux
  26. Hacker Tools Windows
  27. Pentest Tools Review
  28. Pentest Tools Alternative
  29. Hacker Search Tools
  30. Android Hack Tools Github
  31. Hacks And Tools
  32. Hack Tool Apk
  33. Hack Website Online Tool
  34. Free Pentest Tools For Windows
  35. Hak5 Tools
  36. Hacking Tools Hardware
  37. Hacker Tools Apk
  38. Pentest Tools Subdomain
  39. Beginner Hacker Tools
  40. Hack Tools Mac
  41. Hacker Tools Mac
  42. Tools 4 Hack
  43. Hacking Tools Online
  44. Hack Website Online Tool
  45. Hacking Apps
  46. Hacker Tools Linux
  47. Hack Tools
  48. Hacking Tools For Windows 7
  49. Hackers Toolbox
  50. What Are Hacking Tools
  51. Hacking Tools Mac
  52. Hacking Tools Github
  53. Pentest Tools Github
  54. Hacker Tool Kit
  55. Hack Rom Tools
  56. Game Hacking
  57. Hacker Tools List
  58. Hacks And Tools
  59. Beginner Hacker Tools
  60. Hak5 Tools
  61. Termux Hacking Tools 2019
  62. Pentest Tools For Ubuntu
  63. Hacker Tools For Windows
  64. Hacker Tools For Windows
  65. Hacker Tools Mac
  66. Hack Apps
  67. Hack Rom Tools
  68. Pentest Tools Port Scanner
  69. Hacker Tools Linux
  70. Hack Tools For Ubuntu
  71. Wifi Hacker Tools For Windows
  72. Hacker Tools Apk Download
  73. Pentest Automation Tools
  74. Hack Tools
  75. Hacker Tools 2019
  76. Hack Tools Mac
  77. New Hacker Tools
  78. Hacking Tools Name
  79. Hacker Tools Software
  80. Hack Tools Download
  81. Pentest Tools Find Subdomains
  82. Pentest Tools Subdomain
  83. Hacks And Tools
  84. Pentest Tools For Android
  85. Pentest Tools Subdomain
  86. Nsa Hack Tools Download
  87. Pentest Reporting Tools
  88. Best Hacking Tools 2019
  89. Hacking Tools Free Download
  90. Hack Website Online Tool
  91. New Hack Tools

No comments:

Post a Comment