• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Integer Overflow Exploit

Gamingphreek

Gamingphreek

Lifer
I'm going to be doing some work on hardening Solaris and Windows XP/7 based machines at work, but I am unsure of the significance of some of the exploits that can be done today.

I've been reading about Integer Overflow exploits and I'm not quite sure I understand the end goal in this exploit.

It would appear to me that, given an 8-bit unsigned character data type, the range of values is 0-255. Thus is a value is set to 255 and you add 1, you (correct me if I am wrong) end up with a 0.

While I am sure this will, in many cases, crash the aforementioned program on the computer, is that the entire end goal? Is there some way that this can allow someone to inject their own code like a buffer overflow or something?

-Kevin
 
Suppose you have the following:

Code: 
void modifyStudent() {
  int sid;
  char grade;
  char comments[80];
  ...
}

For simplicity, we'll say that comments[] is indexed with an 8-bit signed integer (char). Now say you try to access comments[255]. Well, that's comments[-1] as far as the C code is concerned. Since this is all on the stack, comments[-1] maps to the previous variable. So you can now change grade. Furthermore, if you go back to comments[254], comments[253], comments[252], and comments[251], that's the student ID. So not only can you give yourself an A, you can give anyone or everyone else an F.

I'm not sure if that's the only use of integer overflow, but it's a likely one.
 
Net said:
from my website read:

http://eeprojects.com/challenge_55.html
Click to expand...
Buffer overflow != Integer overflow

At first glance I didn't think it could be exploited except to crash/corrupt a program, but perhaps Ken's example makes some sense, although not sure why couldn't one use -1 directly instead of 255. And I think in C++ arrays are indexed by unsigned ints, so it would just wrap to 0 again. Can arrays be made to be indexed by signed ints?
 
iCyborg said:
Buffer overflow != Integer overflow

At first glance I didn't think it could be exploited except to crash/corrupt a program, but perhaps Ken's example makes some sense, although not sure why couldn't one use -1 directly instead of 255. And I think in C++ arrays are indexed by unsigned ints, so it would just wrap to 0 again. Can arrays be made to be indexed by signed ints?
Click to expand...

Yep, they can. The problem would come in when you have code that looks like this.

Code: 
void someFunc(char index)
{
int untouchable;
int currStudent;
int array[50];
array[index];
}

When you try and dereference the array by a signed char value, it just screws up. As for the - thing. Perhaps the program does some checking to see if it is negative or not when it takes in the user input.

Idk, the whole thing seems a bit unlikely, like it relies on too many features of the universe to fall into place. A buffer overflow bug seems more likely and problematic.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top