Hi,
I have spend the 2 last week trying to understand how to detect and how to
reproduce the integer overflow, unfortunately I wasn't able to fully
understand both of them.
I will take another ticket: "HTTP Host header attacks - Audit plugin" if
it's available ?
Dom
--
Cordialement, Best regards,
Dominique Righetto
dominique.righe...@gmail.com
dominique.righe...@owasp.org
Twitter: @righettod
GPG: 0x323D19BA
http://www.righettod.eu
"No trees were killed to send this message, but a large number of electrons
were terribly inconvenienced."
On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
> <dominique.righe...@gmail.com> wrote:
> > Hi Tomas,
> >
> > Thanks you very much.
> >
> > I try to understand the objective of each of the value in
> > ["-0000012345", "-2147483649", "-2147483648", "0000012345", "2147483647",
> > "2147483648", "4294967295", "4294967296", "0000023456"].
> >
> > For values: 2147483647,2147483648,-2147483649,-2147483648
> > I understand because it's a for testing around the limits of the Integer
> > type but for other values I dont understand why they are used and from
> where
> > they come from ?
>
> The most important part seems to be here [0]
>
> [0]
> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>
> > As I understand the vulnerability, according the all the stuff that I can
> > read, is the fact below:
> >
> > A parameter has a Integer overflow vuln if, in the case in which you
> submit
> > a value over the max/min limit of the Integer, it return a very small
> > negative or positive value.
> >
> > Ex:
> > You submit "2147483648" and the returned value is negative
> > You submit "-2147483648" and the returned value is positive
> >
> > Can you confirm to me that's my understanding is correct ?
>
> I'm no good with these low level bugs, but my basic understanding of
> the vuln makes me think that the best way to detect this vuln is:
> * Send HTTP request with a test payload, lets say... 5 , save it
> * Send HTTP request with a test for integer overflow, which if
> successful would be the same as sending the number 5, (calculate that,
> but it should be -(2^31-5) or something like that), save it
> * Compare the two. If they are equal we're in a case where integer
> overflow is present OR the input is not even used
> * Send one more HTTP request with a number 8 (different from the
> previous), compare with any of the previous ones. If it's different
> then integer overflow is present.
>
> If you want to have lower false positives, after running through those
> steps you could run one more test round, repeating step 1 and 2 with a
> number different than 5.
>
> @Thomas: is this how you were doing it?
>
> > I apologize for all my questions but I really want to fully understand
> the
> > context of the vulnerability in order to take in account all the cases
> into
> > the plugin implementation and also learn new things.
> >
> > W3AF team is a very cool learning environment, I feel like a dwarf among
> > giants ;o)))))
> >
> > Thanks in advance.
> >
> > Best regards,
> >
> > Dom
> >
> >
> >
> > On 13/07/2013 15:48, Tomas Velazquez wrote:
> >>
> >> Hi Dominique,
> >>
> >> Months ago I code a poc of integer overflow, but it is unfinished.
> >>
> >> My code is based on skipfish detection:
> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
> >>
> >> Regards,
> >>
> >>
> >>
> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
> >> <dominique.righe...@gmail.com <mailto:dominique.righe...@gmail.com>>
> >> wrote:
> >>
> >> Hi Andres,
> >>
> >> I'm working on integer overflow detection plugin and I try to
> >> understand, in a audit plugin, how to access to injection points
> >> detected by in discovery part.
> >>
> >> Can you give me some pointer or plugin example ?
> >>
> >> Thanks in advance
> >>
> >> Dom
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> See everything from the browser to the database with AppDynamics
> >> Get end-to-end visibility with application monitoring from
> AppDynamics
> >> Isolate bottlenecks and diagnose root cause in seconds.
> >> Start your free trial of AppDynamics Pro today!
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> W3af-develop mailing list
> >> W3af-develop@lists.sourceforge.net
> >> <mailto:W3af-develop@lists.sourceforge.net>
> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >>
> >>
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
