C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

Related news

1. Best Pentesting Tools 2018
2. Underground Hacker Sites
3. Hacking Tools And Software
4. Pentest Tools Alternative
5. Hackers Toolbox
6. Ethical Hacker Tools
7. Pentest Tools Windows
8. Pentest Tools List
9. Hacking Tools For Games
10. Pentest Automation Tools
11. Hacking Tools Hardware
12. Pentest Tools Kali Linux
13. How To Install Pentest Tools In Ubuntu
14. Hacking Tools Kit
15. Best Hacking Tools 2019
16. Install Pentest Tools Ubuntu
17. Nsa Hacker Tools
18. Hacker Techniques Tools And Incident Handling
19. Hacker Tools List
20. Nsa Hack Tools
21. Hacker Tools List
22. How To Hack
23. Hacker Tools Online
24. Tools For Hacker
25. Pentest Tools Alternative
26. Best Hacking Tools 2019
27. Hacking Tools Usb
28. Tools For Hacker
29. Pentest Tools Port Scanner
30. Pentest Tools Alternative
31. Pentest Tools For Mac
32. Pentest Tools Free
33. Hacking Tools Hardware
34. Pentest Tools Android
35. Pentest Tools Review
36. Tools 4 Hack
37. Game Hacking
38. Tools 4 Hack
39. Easy Hack Tools
40. Hackrf Tools
41. Hack Tools For Pc
42. Hacker Tools Apk Download
43. Hack Tools Download
44. Hacking Apps
45. What Are Hacking Tools
46. Hack Apps
47. Pentest Tools Port Scanner
48. Pentest Tools For Windows
49. Hacking Tools For Windows
50. Hacker Techniques Tools And Incident Handling
51. Easy Hack Tools
52. Hacker Tools 2020
53. Game Hacking
54. Pentest Automation Tools
55. Nsa Hack Tools Download
56. Usb Pentest Tools
57. Hack Tools For Windows
58. Pentest Recon Tools
59. Hacking Tools Pc
60. Hacker Tools Linux
61. How To Make Hacking Tools
62. Top Pentest Tools
63. Hack Tools For Windows
64. Pentest Tools Website Vulnerability
65. Hacker Tools Github
66. New Hacker Tools
67. Hacking Tools Kit
68. Hacker Hardware Tools
69. Hacker Tools Hardware
70. Hacking Tools For Windows 7
71. Hacker Tools For Pc
72. Usb Pentest Tools
73. Hacker Tools Github
74. Hacker
75. Ethical Hacker Tools
76. Wifi Hacker Tools For Windows
77. Hack Tools For Mac
78. Pentest Tools Website
79. Hacking Tools Mac
80. Hacking Tools Download
81. Wifi Hacker Tools For Windows
82. Hack Tools For Games
83. Pentest Tools Online
84. Hack Tools For Windows
85. World No 1 Hacker Software
86. Hacking Tools Kit
87. Hack Tools Pc
88. Pentest Tools Windows
89. Hacking Tools Download
90. Pentest Tools For Mac
91. Hack Tools Mac
92. Hacker Tools Windows
93. Github Hacking Tools
94. Hack Tools Mac
95. Pentest Automation Tools
96. Growth Hacker Tools
97. Pentest Tools Windows
98. Pentest Tools Online
99. Hack Tools For Windows
100. Hacking Tools
101. Nsa Hacker Tools
102. Hacker Search Tools
103. Easy Hack Tools
104. Install Pentest Tools Ubuntu
105. Best Hacking Tools 2020
106. Hacker Tools 2019
107. Game Hacking
108. Hack Tools Pc
109. Hacking Tools For Windows 7
110. Pentest Tools Website
111. Ethical Hacker Tools
112. Hacker Tools List
113. What Is Hacking Tools
114. Github Hacking Tools
115. Hacking Tools For Beginners
116. Pentest Tools Framework
117. Hacker Tools 2020
118. Hacker Tool Kit
119. Hacking Tools Hardware
120. Pentest Tools Port Scanner
121. Hacker Tools 2020
122. Pentest Box Tools Download
123. Hacking Tools 2019
124. How To Hack
125. Hacker Hardware Tools
126. Hacking Tools For Kali Linux
127. Hacker Tools Windows
128. How To Hack
129. Hacker Tools Apk Download
130. Kik Hack Tools
131. Hacking Tools Usb
132. Pentest Tools Subdomain
133. Hacking Tools For Mac
134. Hacking Tools For Beginners
135. Nsa Hack Tools
136. Best Pentesting Tools 2018
137. Pentest Tools Url Fuzzer
138. Pentest Recon Tools
139. Pentest Tools List
140. Hacker Tools Mac
141. Hacking Tools Pc
142. Hack Tools For Pc
143. Hack Apps
144. Hacking Tools
145. Pentest Tools For Windows
146. Hacking Tools Kit
147. Hacker Tools Windows
148. Hacker Tools For Windows
149. Pentest Tools Github
150. Hack Tools For Pc
151. Hacking Tools
152. Pentest Tools Port Scanner
153. Top Pentest Tools
154. Hacking Tools Online
155. Hacking App
156. Top Pentest Tools
157. Pentest Tools Port Scanner
158. Best Hacking Tools 2020
159. Hack Tools Pc
160. Pentest Box Tools Download
161. Pentest Tools Review
162. New Hack Tools
163. Hacking Tools For Games
164. Hack App
165. Hack Tools Github
166. Pentest Tools For Ubuntu
167. Hack Tools Mac
168. What Are Hacking Tools
169. Hacking Tools Name
170. Hacking Tools Windows 10
171. Pentest Tools Android
172. Pentest Tools
173. Hacker Tools 2019
174. Hacker Tools Apk Download