Author Topic: [VB6] Simple Checksumming Method  (Read 9717 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: [VB6] Simple Checksumming Method
« Reply #15 on: June 30, 2005, 05:12:38 pm »
It seems worthy enough of an error, nonetheless. I mean if you overflow you can overwrite memory, no?

No.  I'll follow up in a bit, I'm busy right now

Aren't overflows a big bug in software used to run arbitrary code and such?

All right, sorry about that.

Anyways, there are different types of overflows.  In the sense we're talking about, it is an integer overflow.  That is when you add one to the maximum number and end up with 0.  The only type of vulnerability that that can lead to is a heap overflow, which is how Microsoft's JPEG decoder vulnerability came about.  More on that later.

The type of overflow that you're thinking of is an array overflow.  That is, when the programmer declares an array on the stack and then tries to add data to it that goes past the end of the array, it overwrites other data on the stack.  And if you control a program's stack, it's game over.

Now, back to the integer overflow.  This is something that people are never really taught, but that is very, very important.  Here is some innocent looking C code:
Code: [Select]
int size = data[0]; // The first byte is the size, not including headers
unsigned char *buffer = malloc(size + 10); // allocate 10 extra bytes, to include the header
memcpy(buffer, data, 10); // copy the header
memcpy(buffer + 10, data + 10, size); // copy the rest of the data

That looks innocent enough.  But what if the user sends a size of 0xFFFFFFF6?  it will allocate size+10, or 0x00000000 bytes (due to the overflow).  Then it will go ahead and copy the data into the buffer.  Well, we only allocated 0 bytes, so we're overwriteing other data on the heap now.  This is a head overflow, and doesn't always lead to full control of the process but often it's game over.

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: [VB6] Simple Checksumming Method
« Reply #16 on: June 30, 2005, 09:51:13 pm »
...and what happens to the location in memory if you overflowed the variable...

I'd think the CPU would generate an exception before the memory was written to, no?
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: [VB6] Simple Checksumming Method
« Reply #17 on: July 01, 2005, 12:18:59 am »
I'd think the CPU would generate an exception before the memory was written to, no?
Only if you tried to overwrite from a page of unprotected memory to a page of protected memory, AFAIK.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: [VB6] Simple Checksumming Method
« Reply #18 on: July 01, 2005, 12:27:41 am »
I'd think the CPU would generate an exception before the memory was written to, no?
Only if you tried to overwrite from a page of unprotected memory to a page of protected memory, AFAIK.

Yeah, you only get an exception if you overwrite memory that you aren't allowed to.