Tuesday, May 30, 2023

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










Continue reading


  1. Hacker Techniques Tools And Incident Handling
  2. Hacking Tools 2019
  3. Hacking Tools Online
  4. Pentest Tools List
  5. Pentest Tools Framework
  6. Hacker Tools 2019
  7. Nsa Hacker Tools
  8. Hacking Tools Windows
  9. Hacking Tools For Windows 7
  10. Hacking Tools Online
  11. Nsa Hack Tools
  12. Pentest Tools Url Fuzzer
  13. Hacking Tools Windows
  14. Hack And Tools
  15. Pentest Tools Website
  16. Hacking Tools Mac
  17. Tools For Hacker
  18. Hacker Tools
  19. Hacker Tools Online
  20. Hacking App
  21. Pentest Tools Kali Linux
  22. Hacking Tools For Kali Linux
  23. What Are Hacking Tools
  24. Hacker Tools Linux
  25. Hack Tools For Windows
  26. Pentest Tools For Ubuntu
  27. Pentest Tools Open Source
  28. Hacking Tools And Software
  29. Pentest Automation Tools
  30. Pentest Tools Subdomain
  31. Usb Pentest Tools
  32. Nsa Hacker Tools
  33. Hacking Tools Software
  34. Hacker Tools Apk Download
  35. Hacker Tools Free Download
  36. Pentest Tools Github
  37. Black Hat Hacker Tools
  38. Hacker Security Tools
  39. Hacking Tools Download
  40. Tools Used For Hacking
  41. Nsa Hacker Tools
  42. Hack Tools 2019
  43. Hacking Tools Download
  44. Hack Tools Pc
  45. Hacking Tools For Kali Linux
  46. Hacker Tool Kit
  47. Hack Tools Github
  48. Hacker Security Tools
  49. What Are Hacking Tools
  50. Kik Hack Tools
  51. Hacking Tools For Pc
  52. Hacker Tools 2020
  53. Hak5 Tools
  54. Hack Rom Tools
  55. Pentest Tools
  56. Pentest Recon Tools
  57. Hacker Tools
  58. Tools For Hacker
  59. Hacking Tools Hardware
  60. Hack Tools For Mac
  61. Pentest Box Tools Download
  62. Nsa Hack Tools
  63. Hacking Tools Usb
  64. Hack Website Online Tool
  65. Hacking Tools Usb
  66. Hack Tools 2019
  67. Pentest Tools Find Subdomains
  68. Game Hacking
  69. Pentest Tools Tcp Port Scanner
  70. Hacker Search Tools
  71. Pentest Tools Nmap
  72. Install Pentest Tools Ubuntu
  73. Pentest Box Tools Download
  74. Hacker Techniques Tools And Incident Handling
  75. Hack Tools For Games
  76. Hacker Tools List
  77. Hacker Tools Hardware
  78. Hacker Tools Hardware
  79. Best Hacking Tools 2020
  80. Free Pentest Tools For Windows
  81. Hack And Tools
  82. Pentest Tools For Mac
Posted by RBD at 2:25 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)