Saturday, 27 May 2023

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538

The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;

What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.

So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

Related word

  1. What Are Hacking Tools
  2. Hacker Tools Mac
  3. Pentest Tools Apk
  4. Pentest Tools Find Subdomains
  5. Pentest Tools Apk
  6. Pentest Tools Alternative
  7. Hacker Tools For Mac
  8. Pentest Tools Framework
  9. Hack Tools Github
  10. Pentest Tools Nmap
  11. Pentest Tools Framework
  12. Tools For Hacker
  13. Computer Hacker
  14. Hacking Tools For Windows 7
  15. Hack Tools Online
  16. Best Hacking Tools 2020
  17. Hacking Apps
  18. Hacking Tools Windows
  19. Hack Tools For Ubuntu
  20. How To Make Hacking Tools
  21. Hacking Tools Hardware
  22. Hack Tools Download
  23. Hacker Tools For Windows
  24. Pentest Tools Framework
  25. Best Hacking Tools 2020
  26. Pentest Tools Framework
  27. Hack Website Online Tool
  28. Hack Tools Download
  29. Hacker Tools 2020
  30. Termux Hacking Tools 2019
  31. Hack Apps
  32. Hacker Tools Apk Download
  33. Hacker Tools List
  34. Beginner Hacker Tools
  35. Pentest Tools For Android
  36. Hacking Tools Free Download
  37. Pentest Tools
  38. Pentest Tools Alternative
  39. Hackers Toolbox
  40. Pentest Tools Review
  41. Pentest Tools Windows
  42. Pentest Tools Bluekeep
  43. Pentest Reporting Tools
  44. Pentest Tools List
  45. Hack Rom Tools
  46. Pentest Tools Website
  47. Pentest Tools Subdomain
  48. Hak5 Tools
  49. Android Hack Tools Github
  50. Hacker Search Tools
  51. Pentest Tools Linux
  52. Hack Tools For Pc
  53. Hack Tools Pc
  54. Hacker Tools Apk
  55. Pentest Tools Download
  56. Pentest Tools Kali Linux
  57. Hacking Tools
  58. Hacker Tools Windows
  59. Hacking Tools Usb
  60. Pentest Tools Url Fuzzer
  61. Pentest Recon Tools
  62. Android Hack Tools Github
  63. Pentest Tools Framework
  64. Hacker Tools For Windows
  65. Hack Tools Download
  66. Nsa Hack Tools
  67. Hackrf Tools
  68. Hacker Tools Linux
  69. Hacker Tools Hardware
  70. Hacking Tools Name
  71. Hack Tools For Ubuntu
  72. How To Make Hacking Tools
  73. Hack Tools Download
  74. Ethical Hacker Tools
  75. Beginner Hacker Tools
  76. Hacking Tools 2020
  77. Hackrf Tools
  78. Hack Website Online Tool
  79. Hack Rom Tools
  80. Hacking Tools Kit
  81. Pentest Tools Windows
  82. Hack Tools For Games
  83. What Are Hacking Tools
  84. Hack Tool Apk
  85. Underground Hacker Sites
  86. Hacking Tools 2019
  87. Pentest Tools Port Scanner
  88. Hacker Tools Linux
  89. Growth Hacker Tools
  90. Hack Tools
  91. Hack And Tools
  92. Hacking Tools Kit
  93. Github Hacking Tools