Dom, On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto <dominique.righe...@gmail.com> wrote: > Hi, > > I have spend the 2 last week trying to understand how to detect and how to > reproduce the integer overflow, unfortunately I wasn't able to fully > understand both of them.
I feel bad that I / we were unable to help you with that, sorry but I'm focused on other things these days. > I will take another ticket: "HTTP Host header attacks - Audit plugin" if > it's available ? Take a look at the mailing list thread we started a while ago about that, maybe you can take it from there. > Dom > > -- > Cordialement, Best regards, > Dominique Righetto > dominique.righe...@gmail.com > dominique.righe...@owasp.org > Twitter: @righettod > GPG: 0x323D19BA > http://www.righettod.eu > "No trees were killed to send this message, but a large number of electrons > were terribly inconvenienced." > > > On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <andres.rian...@gmail.com> > wrote: >> >> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO >> <dominique.righe...@gmail.com> wrote: >> > Hi Tomas, >> > >> > Thanks you very much. >> > >> > I try to understand the objective of each of the value in >> > ["-0000012345", "-2147483649", "-2147483648", "0000012345", >> > "2147483647", >> > "2147483648", "4294967295", "4294967296", "0000023456"]. >> > >> > For values: 2147483647,2147483648,-2147483649,-2147483648 >> > I understand because it's a for testing around the limits of the Integer >> > type but for other values I dont understand why they are used and from >> > where >> > they come from ? >> >> The most important part seems to be here [0] >> >> [0] >> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872 >> >> > As I understand the vulnerability, according the all the stuff that I >> > can >> > read, is the fact below: >> > >> > A parameter has a Integer overflow vuln if, in the case in which you >> > submit >> > a value over the max/min limit of the Integer, it return a very small >> > negative or positive value. >> > >> > Ex: >> > You submit "2147483648" and the returned value is negative >> > You submit "-2147483648" and the returned value is positive >> > >> > Can you confirm to me that's my understanding is correct ? >> >> I'm no good with these low level bugs, but my basic understanding of >> the vuln makes me think that the best way to detect this vuln is: >> * Send HTTP request with a test payload, lets say... 5 , save it >> * Send HTTP request with a test for integer overflow, which if >> successful would be the same as sending the number 5, (calculate that, >> but it should be -(2^31-5) or something like that), save it >> * Compare the two. If they are equal we're in a case where integer >> overflow is present OR the input is not even used >> * Send one more HTTP request with a number 8 (different from the >> previous), compare with any of the previous ones. If it's different >> then integer overflow is present. >> >> If you want to have lower false positives, after running through those >> steps you could run one more test round, repeating step 1 and 2 with a >> number different than 5. >> >> @Thomas: is this how you were doing it? >> >> > I apologize for all my questions but I really want to fully understand >> > the >> > context of the vulnerability in order to take in account all the cases >> > into >> > the plugin implementation and also learn new things. >> > >> > W3AF team is a very cool learning environment, I feel like a dwarf among >> > giants ;o))))) >> > >> > Thanks in advance. >> > >> > Best regards, >> > >> > Dom >> > >> > >> > >> > On 13/07/2013 15:48, Tomas Velazquez wrote: >> >> >> >> Hi Dominique, >> >> >> >> Months ago I code a poc of integer overflow, but it is unfinished. >> >> >> >> My code is based on skipfish detection: >> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c >> >> >> >> Regards, >> >> >> >> >> >> >> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto >> >> <dominique.righe...@gmail.com <mailto:dominique.righe...@gmail.com>> >> >> wrote: >> >> >> >> Hi Andres, >> >> >> >> I'm working on integer overflow detection plugin and I try to >> >> understand, in a audit plugin, how to access to injection points >> >> detected by in discovery part. >> >> >> >> Can you give me some pointer or plugin example ? >> >> >> >> Thanks in advance >> >> >> >> Dom >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> See everything from the browser to the database with AppDynamics >> >> Get end-to-end visibility with application monitoring from >> >> AppDynamics >> >> Isolate bottlenecks and diagnose root cause in seconds. >> >> Start your free trial of AppDynamics Pro today! >> >> >> >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> >> W3af-develop mailing list >> >> W3af-develop@lists.sourceforge.net >> >> <mailto:W3af-develop@lists.sourceforge.net> >> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> >> >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
