Thursday, January 18, 2024

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










Related articles

  1. Pentest Reporting Tools
  2. Hacker Tools Online
  3. Ethical Hacker Tools
  4. Hacker Tools Apk
  5. Hacking Tools For Kali Linux
  6. Hacker Tools
  7. Hacker Tools Apk Download
  8. Hack Tools For Games
  9. Hacker Tools Hardware
  10. Pentest Tools For Windows
  11. Underground Hacker Sites
  12. Bluetooth Hacking Tools Kali
  13. Hacker Tools 2019
  14. How To Hack
  15. Hacker Hardware Tools
  16. Hacker Tools 2019
  17. Pentest Tools Website
  18. What Is Hacking Tools
  19. Usb Pentest Tools
  20. Hacker Tools 2019
  21. Hack Tools Github
  22. Hacking Tools Pc
  23. Hacking Tools Software
  24. Hak5 Tools
  25. Nsa Hack Tools
  26. Hak5 Tools
  27. Hack Tools For Pc
  28. Hacking Tools Free Download
  29. How To Make Hacking Tools
  30. Pentest Reporting Tools
  31. Pentest Tools Port Scanner
  32. What Are Hacking Tools
  33. Game Hacking
  34. Hack Tools Github
  35. World No 1 Hacker Software
  36. Pentest Tools Free
  37. Hacker Security Tools
  38. Hacking Tools Kit
  39. Hacking Tools Software
  40. Ethical Hacker Tools
  41. Wifi Hacker Tools For Windows
  42. Tools 4 Hack
  43. Hacking Tools For Pc
  44. Hacker Tools For Ios
  45. Hacker Hardware Tools
  46. Hacker Hardware Tools
  47. Pentest Tools Website Vulnerability
  48. How To Hack
  49. Growth Hacker Tools
  50. Pentest Tools Website Vulnerability
  51. Hack Tools
  52. Pentest Tools Alternative
  53. Growth Hacker Tools
  54. Hackers Toolbox
  55. Hack And Tools
  56. Hacker Security Tools
  57. Pentest Tools Alternative
  58. Pentest Tools List
  59. Install Pentest Tools Ubuntu
  60. Pentest Tools For Ubuntu
  61. Hacker Tools 2019
  62. Hacker Techniques Tools And Incident Handling
  63. Pentest Tools Find Subdomains
  64. Hacker Tools For Ios
  65. Growth Hacker Tools
  66. Pentest Box Tools Download
  67. New Hack Tools
  68. Hack Tools Github
  69. Hacker Tools Windows
  70. Hacker Tools Hardware
  71. Best Pentesting Tools 2018
  72. Hack Tools 2019
  73. Hacking Tools Online
  74. Hacker Tools Online
  75. Pentest Tools For Android
  76. Hackrf Tools
  77. Hack Tool Apk No Root
  78. Hacking Tools Usb
  79. Hacking Tools Usb
  80. Hacker Tools For Windows
  81. Pentest Tools Tcp Port Scanner
  82. Hacking Tools For Games
  83. How To Hack
  84. Hacker Tools For Mac
  85. Best Hacking Tools 2020
  86. Hacking Tools Download
  87. Hacker Tools For Windows
  88. Hacker Tools Hardware
  89. Beginner Hacker Tools
  90. Pentest Tools Apk
  91. Pentest Tools For Mac
  92. Hacking Apps
  93. New Hacker Tools
  94. Hacking Tools Mac
  95. Underground Hacker Sites
  96. Hackrf Tools
  97. Kik Hack Tools
  98. Pentest Tools Windows
  99. Hacking Tools Free Download
  100. Hack Tools For Pc
  101. Hack Tools Pc
  102. Best Pentesting Tools 2018
  103. Usb Pentest Tools
  104. Hacker Tools For Ios
  105. Pentest Tools Website Vulnerability
  106. Hacking Tools Usb
  107. Pentest Tools For Android
  108. Hacker Tools For Mac
  109. Pentest Recon Tools
  110. Hacking Tools And Software
  111. Tools Used For Hacking
  112. Pentest Tools For Windows
  113. Hacker Tools Online
  114. Pentest Tools Alternative
  115. Pentest Automation Tools
  116. Hacker Tools Free
  117. Hacker Tools Apk
  118. Hacking Apps
  119. Hack Tools For Windows
  120. Hacking Tools
  121. Hacker Tools Software
  122. Pentest Tools Find Subdomains
  123. Hack Tools 2019
  124. Best Hacking Tools 2020
  125. Hackrf Tools
  126. Hacking Tools 2020
  127. How To Make Hacking Tools
  128. Easy Hack Tools
  129. Bluetooth Hacking Tools Kali
  130. Hacker Tools Software
  131. What Is Hacking Tools
  132. Hacker Tools List
  133. Hack Tools For Games
  134. Pentest Tools Online
  135. Hacker Tools List
  136. Free Pentest Tools For Windows
  137. Hacking Tools Windows 10
  138. Hack Tools For Pc
  139. Best Hacking Tools 2020
  140. Hacker Tool Kit
  141. Hacker
  142. What Is Hacking Tools
  143. Hack Tools
  144. Free Pentest Tools For Windows
  145. Hack Tools For Pc
  146. How To Hack
  147. Hacking Tools Download
  148. Hacker Tools Software
  149. Hacker Tools Apk
  150. Pentest Tools For Windows
  151. Hacking Tools And Software
  152. Hacker Hardware Tools
  153. Pentest Tools

No comments:

Post a Comment