Re: [W3af-develop] Integer overflow detection plugin
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-develop] Integer overflow detection plugin
|
From: Dominique R. <dom...@gm...> - 2013-07-29 19:54:00
|
Andres, DM, I will setup ASAP an IRC client (I have never used IRC before) and I will come back to you with a date (Luxembourg time) when I'm able to connect to #w3af channel... Regards, Dom -- Cordialement, Best regards, Dominique Righetto dom...@gm... dom...@ow... Twitter: @righettod GPG: 0x323D19BA http://www.righettod.eu "No trees were killed to send this message, but a large number of electrons were terribly inconvenienced." On Mon, Jul 29, 2013 at 3:22 PM, Andres Riancho <and...@gm...>wrote: > Dom, > > Lets do something, lets schedule it. I'm GMT-3 and during this > week I don't have any fixed appointments yet. If you tell me a > reasonable hour (given my timezone and that I work from 8:30 to > 7:30pm) we can schedule a 2h block and join the #w3af channel on IRC > to work on the integer overflow stuff. So, when do you have 2h for > working on this? > > Regards, > > On Mon, Jul 29, 2013 at 9:32 AM, D M <vin...@gm...> wrote: > > Dom, > > > > I was planning on working on the host header plugin. I did have a > similar > > response from the mailing list, which is understandable see everyone is > very > > busy. > > > > Maybe you and I can work on this further to get a better idea of how it > will > > work? > > > > > > On Mon, Jul 29, 2013 at 8:24 AM, Andres Riancho < > and...@gm...> > > wrote: > >> > >> Dom, > >> > >> On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto > >> <dom...@gm...> wrote: > >> > Hi, > >> > > >> > I have spend the 2 last week trying to understand how to detect and > how > >> > to > >> > reproduce the integer overflow, unfortunately I wasn't able to fully > >> > understand both of them. > >> > >> I feel bad that I / we were unable to help you with that, sorry but > >> I'm focused on other things these days. > >> > >> > I will take another ticket: "HTTP Host header attacks - Audit plugin" > if > >> > it's available ? > >> > >> Take a look at the mailing list thread we started a while ago about > >> that, maybe you can take it from there. > >> > >> > Dom > >> > > >> > -- > >> > Cordialement, Best regards, > >> > Dominique Righetto > >> > dom...@gm... > >> > dom...@ow... > >> > Twitter: @righettod > >> > GPG: 0x323D19BA > >> > http://www.righettod.eu > >> > "No trees were killed to send this message, but a large number of > >> > electrons > >> > were terribly inconvenienced." > >> > > >> > > >> > On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho > >> > <and...@gm...> > >> > wrote: > >> >> > >> >> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO > >> >> <dom...@gm...> wrote: > >> >> > Hi Tomas, > >> >> > > >> >> > Thanks you very much. > >> >> > > >> >> > I try to understand the objective of each of the value in > >> >> > ["-0000012345", "-2147483649", "-2147483648", "0000012345", > >> >> > "2147483647", > >> >> > "2147483648", "4294967295", "4294967296", "0000023456"]. > >> >> > > >> >> > For values: 2147483647,2147483648,-2147483649,-2147483648 > >> >> > I understand because it's a for testing around the limits of the > >> >> > Integer > >> >> > type but for other values I dont understand why they are used and > >> >> > from > >> >> > where > >> >> > they come from ? > >> >> > >> >> The most important part seems to be here [0] > >> >> > >> >> [0] > >> >> > >> >> > https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872 > >> >> > >> >> > As I understand the vulnerability, according the all the stuff > that I > >> >> > can > >> >> > read, is the fact below: > >> >> > > >> >> > A parameter has a Integer overflow vuln if, in the case in which > you > >> >> > submit > >> >> > a value over the max/min limit of the Integer, it return a very > small > >> >> > negative or positive value. > >> >> > > >> >> > Ex: > >> >> > You submit "2147483648" and the returned value is negative > >> >> > You submit "-2147483648" and the returned value is positive > >> >> > > >> >> > Can you confirm to me that's my understanding is correct ? > >> >> > >> >> I'm no good with these low level bugs, but my basic understanding of > >> >> the vuln makes me think that the best way to detect this vuln is: > >> >> * Send HTTP request with a test payload, lets say... 5 , save it > >> >> * Send HTTP request with a test for integer overflow, which if > >> >> successful would be the same as sending the number 5, (calculate > that, > >> >> but it should be -(2^31-5) or something like that), save it > >> >> * Compare the two. If they are equal we're in a case where integer > >> >> overflow is present OR the input is not even used > >> >> * Send one more HTTP request with a number 8 (different from the > >> >> previous), compare with any of the previous ones. If it's different > >> >> then integer overflow is present. > >> >> > >> >> If you want to have lower false positives, after running through > those > >> >> steps you could run one more test round, repeating step 1 and 2 with > a > >> >> number different than 5. > >> >> > >> >> @Thomas: is this how you were doing it? > >> >> > >> >> > I apologize for all my questions but I really want to fully > >> >> > understand > >> >> > the > >> >> > context of the vulnerability in order to take in account all the > >> >> > cases > >> >> > into > >> >> > the plugin implementation and also learn new things. > >> >> > > >> >> > W3AF team is a very cool learning environment, I feel like a dwarf > >> >> > among > >> >> > giants ;o))))) > >> >> > > >> >> > Thanks in advance. > >> >> > > >> >> > Best regards, > >> >> > > >> >> > Dom > >> >> > > >> >> > > >> >> > > >> >> > On 13/07/2013 15:48, Tomas Velazquez wrote: > >> >> >> > >> >> >> Hi Dominique, > >> >> >> > >> >> >> Months ago I code a poc of integer overflow, but it is unfinished. > >> >> >> > >> >> >> My code is based on skipfish detection: > >> >> >> > http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c > >> >> >> > >> >> >> Regards, > >> >> >> > >> >> >> > >> >> >> > >> >> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto > >> >> >> <dom...@gm... <mailto: > dom...@gm...>> > >> >> >> wrote: > >> >> >> > >> >> >> Hi Andres, > >> >> >> > >> >> >> I'm working on integer overflow detection plugin and I try to > >> >> >> understand, in a audit plugin, how to access to injection points > >> >> >> detected by in discovery part. > >> >> >> > >> >> >> Can you give me some pointer or plugin example ? > >> >> >> > >> >> >> Thanks in advance > >> >> >> > >> >> >> Dom > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > ------------------------------------------------------------------------------ > >> >> >> See everything from the browser to the database with AppDynamics > >> >> >> Get end-to-end visibility with application monitoring from > >> >> >> AppDynamics > >> >> >> Isolate bottlenecks and diagnose root cause in seconds. > >> >> >> Start your free trial of AppDynamics Pro today! > >> >> >> > >> >> >> > >> >> >> > >> >> >> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > >> >> >> _______________________________________________ > >> >> >> W3af-develop mailing list > >> >> >> W3a...@li... > >> >> >> <mailto:W3a...@li...> > >> >> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > >> >> >> > >> >> >> > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Andrés Riancho > >> >> Project Leader at w3af - http://w3af.org/ > >> >> Web Application Attack and Audit Framework > >> >> Twitter: @w3af > >> >> GPG: 0x93C344F3 > >> > > >> > > >> > >> > >> > >> -- > >> Andrés Riancho > >> Project Leader at w3af - http://w3af.org/ > >> Web Application Attack and Audit Framework > >> Twitter: @w3af > >> GPG: 0x93C344F3 > >> > >> > >> > ------------------------------------------------------------------------------ > >> See everything from the browser to the database with AppDynamics > >> Get end-to-end visibility with application monitoring from AppDynamics > >> Isolate bottlenecks and diagnose root cause in seconds. > >> Start your free trial of AppDynamics Pro today! > >> > >> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> W3af-develop mailing list > >> W3a...@li... > >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > |
