Dom,
Lets do something, lets schedule it. I'm GMT-3 and during this
week I don't have any fixed appointments yet. If you tell me a
reasonable hour (given my timezone and that I work from 8:30 to
7:30pm) we can schedule a 2h block and join the #w3af channel on IRC
to work on the integer overflow stuff. So, when do you have 2h for
working on this?
Regards,
On Mon, Jul 29, 2013 at 9:32 AM, D M <vints...@gmail.com> wrote:
> Dom,
>
> I was planning on working on the host header plugin. I did have a similar
> response from the mailing list, which is understandable see everyone is very
> busy.
>
> Maybe you and I can work on this further to get a better idea of how it will
> work?
>
>
> On Mon, Jul 29, 2013 at 8:24 AM, Andres Riancho <andres.rian...@gmail.com>
> wrote:
>>
>> Dom,
>>
>> On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto
>> <dominique.righe...@gmail.com> wrote:
>> > Hi,
>> >
>> > I have spend the 2 last week trying to understand how to detect and how
>> > to
>> > reproduce the integer overflow, unfortunately I wasn't able to fully
>> > understand both of them.
>>
>> I feel bad that I / we were unable to help you with that, sorry but
>> I'm focused on other things these days.
>>
>> > I will take another ticket: "HTTP Host header attacks - Audit plugin" if
>> > it's available ?
>>
>> Take a look at the mailing list thread we started a while ago about
>> that, maybe you can take it from there.
>>
>> > Dom
>> >
>> > --
>> > Cordialement, Best regards,
>> > Dominique Righetto
>> > dominique.righe...@gmail.com
>> > dominique.righe...@owasp.org
>> > Twitter: @righettod
>> > GPG: 0x323D19BA
>> > http://www.righettod.eu
>> > "No trees were killed to send this message, but a large number of
>> > electrons
>> > were terribly inconvenienced."
>> >
>> >
>> > On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho
>> > <andres.rian...@gmail.com>
>> > wrote:
>> >>
>> >> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
>> >> <dominique.righe...@gmail.com> wrote:
>> >> > Hi Tomas,
>> >> >
>> >> > Thanks you very much.
>> >> >
>> >> > I try to understand the objective of each of the value in
>> >> > ["-0000012345", "-2147483649", "-2147483648", "0000012345",
>> >> > "2147483647",
>> >> > "2147483648", "4294967295", "4294967296", "0000023456"].
>> >> >
>> >> > For values: 2147483647,2147483648,-2147483649,-2147483648
>> >> > I understand because it's a for testing around the limits of the
>> >> > Integer
>> >> > type but for other values I dont understand why they are used and
>> >> > from
>> >> > where
>> >> > they come from ?
>> >>
>> >> The most important part seems to be here [0]
>> >>
>> >> [0]
>> >>
>> >> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>> >>
>> >> > As I understand the vulnerability, according the all the stuff that I
>> >> > can
>> >> > read, is the fact below:
>> >> >
>> >> > A parameter has a Integer overflow vuln if, in the case in which you
>> >> > submit
>> >> > a value over the max/min limit of the Integer, it return a very small
>> >> > negative or positive value.
>> >> >
>> >> > Ex:
>> >> > You submit "2147483648" and the returned value is negative
>> >> > You submit "-2147483648" and the returned value is positive
>> >> >
>> >> > Can you confirm to me that's my understanding is correct ?
>> >>
>> >> I'm no good with these low level bugs, but my basic understanding of
>> >> the vuln makes me think that the best way to detect this vuln is:
>> >> * Send HTTP request with a test payload, lets say... 5 , save it
>> >> * Send HTTP request with a test for integer overflow, which if
>> >> successful would be the same as sending the number 5, (calculate that,
>> >> but it should be -(2^31-5) or something like that), save it
>> >> * Compare the two. If they are equal we're in a case where integer
>> >> overflow is present OR the input is not even used
>> >> * Send one more HTTP request with a number 8 (different from the
>> >> previous), compare with any of the previous ones. If it's different
>> >> then integer overflow is present.
>> >>
>> >> If you want to have lower false positives, after running through those
>> >> steps you could run one more test round, repeating step 1 and 2 with a
>> >> number different than 5.
>> >>
>> >> @Thomas: is this how you were doing it?
>> >>
>> >> > I apologize for all my questions but I really want to fully
>> >> > understand
>> >> > the
>> >> > context of the vulnerability in order to take in account all the
>> >> > cases
>> >> > into
>> >> > the plugin implementation and also learn new things.
>> >> >
>> >> > W3AF team is a very cool learning environment, I feel like a dwarf
>> >> > among
>> >> > giants ;o)))))
>> >> >
>> >> > Thanks in advance.
>> >> >
>> >> > Best regards,
>> >> >
>> >> > Dom
>> >> >
>> >> >
>> >> >
>> >> > On 13/07/2013 15:48, Tomas Velazquez wrote:
>> >> >>
>> >> >> Hi Dominique,
>> >> >>
>> >> >> Months ago I code a poc of integer overflow, but it is unfinished.
>> >> >>
>> >> >> My code is based on skipfish detection:
>> >> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >>
>> >> >>
>> >> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>> >> >> <dominique.righe...@gmail.com <mailto:dominique.righe...@gmail.com>>
>> >> >> wrote:
>> >> >>
>> >> >> Hi Andres,
>> >> >>
>> >> >> I'm working on integer overflow detection plugin and I try to
>> >> >> understand, in a audit plugin, how to access to injection points
>> >> >> detected by in discovery part.
>> >> >>
>> >> >> Can you give me some pointer or plugin example ?
>> >> >>
>> >> >> Thanks in advance
>> >> >>
>> >> >> Dom
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> ------------------------------------------------------------------------------
>> >> >> See everything from the browser to the database with AppDynamics
>> >> >> Get end-to-end visibility with application monitoring from
>> >> >> AppDynamics
>> >> >> Isolate bottlenecks and diagnose root cause in seconds.
>> >> >> Start your free trial of AppDynamics Pro today!
>> >> >>
>> >> >>
>> >> >>
>> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> >> >> _______________________________________________
>> >> >> W3af-develop mailing list
>> >> >> W3af-develop@lists.sourceforge.net
>> >> >> <mailto:W3af-develop@lists.sourceforge.net>
>> >> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Andrés Riancho
>> >> Project Leader at w3af - http://w3af.org/
>> >> Web Application Attack and Audit Framework
>> >> Twitter: @w3af
>> >> GPG: 0x93C344F3
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
