C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










Related posts
  1. What Are Hacking Tools
  2. Pentest Tools Bluekeep
  3. Pentest Tools Github
  4. Hacking App
  5. Hacking Tools For Mac
  6. Hak5 Tools
  7. Pentest Tools Open Source
  8. Pentest Tools Find Subdomains
  9. Tools 4 Hack
  10. Pentest Tools Github
  11. Hacker Tools Windows
  12. Hacker Tools For Windows
  13. Hacking Tools For Windows
  14. Hackers Toolbox
  15. Tools For Hacker
  16. Hack Tools Online
  17. Pentest Tools Free
  18. Hacker Tools Apk Download
  19. Physical Pentest Tools
  20. What Are Hacking Tools
  21. Hacking Tools 2020
  22. Hacks And Tools
  23. Github Hacking Tools
  24. Hacking Tools Windows 10
  25. Hacker Tools 2019
  26. Hacker Tools Github
  27. Physical Pentest Tools
  28. Usb Pentest Tools
  29. Termux Hacking Tools 2019
  30. Hacker Tools For Ios
  31. Hacker Techniques Tools And Incident Handling
  32. Hack Tools 2019
  33. Hacker Tools Apk
  34. Hacks And Tools
  35. Install Pentest Tools Ubuntu
  36. Pentest Tools For Ubuntu
  37. Pentest Tools Linux
  38. How To Install Pentest Tools In Ubuntu
  39. Hack Website Online Tool
  40. Hack Tool Apk
  41. Bluetooth Hacking Tools Kali
  42. Pentest Reporting Tools
  43. Pentest Tools Windows
  44. Hacker Tools Github
  45. Pentest Tools Download
  46. Hack Tools Mac
  47. Hack Tools For Games
  48. Pentest Tools Website
  49. Bluetooth Hacking Tools Kali
  50. Pentest Tools Review
  51. Hacker Tools Free
  52. Pentest Tools Windows
  53. Hack Apps
  54. Hack App
  55. Hacking Tools For Windows Free Download
  56. Hacking Tools For Windows
  57. Best Hacking Tools 2019
  58. Best Pentesting Tools 2018
  59. Free Pentest Tools For Windows
  60. Hacker Tools For Mac
  61. Hacking Tools Pc
  62. Pentest Tools For Android
  63. Hacker Tools List
  64. Hackrf Tools
  65. Hacker Search Tools
  66. Hacker Tools Software
  67. Hacking Tools 2019
  68. Nsa Hack Tools
  69. Usb Pentest Tools
  70. Nsa Hack Tools
  71. Pentest Tools Subdomain
  72. Hacking Tools For Pc
  73. Bluetooth Hacking Tools Kali
  74. Pentest Tools Review
  75. Hack Tools For Pc
  76. Pentest Tools Open Source
  77. Pentest Recon Tools
  78. Hacker Tools Mac
  79. Kik Hack Tools
  80. Pentest Tools
  81. How To Hack
  82. Hacking Tools Name
  83. Hacker Security Tools
  84. Hacking Tools Mac
  85. Computer Hacker
  86. Hacking Tools Usb
  87. Pentest Tools Open Source
Publicado por