19. November 2018 - Zanidd

Integer Overflow – Explained

An Integer Overflow is an attack used by hackers and security specialists that abuse the properties of signed and unsigned integers.

Signed vs. Unsigned

Integers come in various “formfactors”: long, short, unsigned, signed and many more. To perform an integer overflow attack you need to abuse the properties of signed and unsigned integers.

What does this mean?

Signed and Unsigned reffer to the sign befor the number. (eg.1,23, …)

The main difference between the two is, that unsigned integers do not have a representation of negative numbers. And a processor can only hold 1s and 0s. So no negative numbers shouldn’t be possible in the processor, or a computer for that matter.

So how does this work?

Twos Complement

TL;DR: Negative numbers are just very high positive numbers.

The common convention is to use the twos complement, a math “hack” to convert binary numbers into a format to represent negative numbers. These are usually just very high numbers. Let’s do an example with 4 Bits.

the twos complement of 0011 (3 in binary) is 1101 (13 in binary). And here we got our problem.

In unsigned Integers 1101 is represented as 13, but in signed Integers its a -3. So -3 = 13…

This values are always based on architecture – a 32 Bit machine has 4 Bytes per Integer, 64 has 8 Bytes.

You can try some more down below (but it’s javascript Ints, so they’re weird anyway):

Signed:

Unsigned:

So where do we draw the line?

https://i0.wp.com/www.codeguru.com/images/article/11111/04.gif?w=660&ssl=1

Apparently at exactly half, meaning all numbers starting with a 1 in binary (1000, 101000001110, 10101101, etc…).

You can read more here.

How to Exploit an Integer Overflow

Now that we got the basics down, how do we abuse this, to bypass checks or hack into things?

Let’s take a shop for example:

  • You can buy things
  • You can check your account

Additionally, you only have 1100$, but the thing you want costs 1000000$. And there is another one that costs 1000$.

This used to be a challenge in the picoCTF 2018. You can get the source for this shop over here and compile it with

gcc -Wall -g shop.c -o shop

The trick here is that there is a part in the code that checks if the amount of things you choose is higher than 0. Then it takes your amount and multiplies it by the price. Finally it subtracts it from your account if you have enough money.

if(number_flags > 0){ 
  int total_cost = 0;
  total_cost = 1000*number_flags;
  printf("\nYour total cost is: %d\n", total_cost);
  if(total_cost <= account_balance){
    account_balance = account_balance - total_cost; 
    printf("\nYour new balance: %d\n\n", account_balance);
  } else{ 
    printf("Not enough funds\n"); 
  }
}

Our goal is to generate money with this part, so we can afford the 100000000$ piece. Now if it would subtract from our account, we would get money. Because

--1 == 1

So we first need to choose more than 0 flags and check if the total_cost will be a negative int.

Integer Overflow

Let’s say the maximum number possible would be 65000. So half of it would be positive, and the upper half would be negative:

0-32500 = Positive

32501-65000 = Negative

If we pass an amount around 33 it will be multiplied by 1000 which results in 33000 which overflows 32500 and is a negative number (I think around -32000)! Now we can abuse this to get to a pretty low(!) negative number that will be added to our account, untill we have enough to buy everything we want!

Examples

The following playlist contains videos on “real” integer overflow vulnerabilities that I exploited during CTF’s and other hacking challenges. I’m sure there will be more in the future.

Recap

To execute an Integer Overflow attack, you need to know about the architecture and properties of integer. Also the application has to be vulnerable to it, meaning it passes an unsigned int to a signed int (with implicit casting).

You need to find the part, insert a number that will overflow the positive numbers into the negative ones and try to exploit it.

Sometimes it can even be done easier by just passing negative numbers. It all depends on the challenge or software. But one thing they have in common:

You need to overflow the positive/ negative integer range.


If you liked this post, make sure to subscribe to my newsletter.

Share

Zanidd

I build and hack stuff.

You may also like...

Leave a Reply