Secure coding

Integer Overflow and Underflow Exploitation Case Study

December 7, 2020 by Howard Poston

Integer Overflows and Underflows

Integer overflow and underflow vulnerabilities are simple but dangerous flaws within an application.  These vulnerabilities become a problem when values are placed in variables that cannot hold them (i.e. larger than their maximum value or smaller than their minimum).

When this happens, the application doesn’t break.  Instead, the value in question is interpreted in a way that fits the variable.  Most commonly, this becomes an issue when a variable is interpreted one way at one location in the code (such as allocation of memory) and another way at a different one (like copying data into an allocated memory buffer).

The Apple iMessage Vulnerability

Integer overflow and underflow vulnerabilities are simple but they can have dramatic impacts.  An example of a potentially high-impact integer overflow vulnerability is a flaw in Apple iMessage discovered in 2019.

Between April and June 2019, vulnerabilities researchers that were members of Google’s Project Zero identified six different vulnerabilities in Apple’s iMessage mobile app.  One of these vulnerabilities was an integer overflow vulnerability that was deemed “difficult to exploit” and has since been patched by Apple.

Inside the Vulnerability

The Apple iMessage flaw is an example of an integer overflow vulnerability that created a buffer overflow vulnerability.  The issue existed in the code where Apple iMessage decoded a structure called NSKnownKeysDictionary1, which is part of Cocoa.

This structure included compressed data, and the Apple iMessage application unpacked it for further use.  Since the data was compressed, this required the application to allocate a memory buffer where the data could be written after it had been uncompressed.

Within the NSKnownKeysDictionary1 structure, a variable was defined that stated the number of bytes of memory that the decompressed structure required.  When allocating the memory for the buffer, this value was allocated in bits, meaning that it needed to be multiplied by eight.

This multiplication created the potential for an integer overflow vulnerability.  If the size of the compressed NSKnownKeysDictionary1 structure was more than one-eighth of the maximum value of the variable type used to store the length value, then this variable would be overflowed.

As a result, less memory would be allocated for the uncompressed buffer than was required.  This would cause the decompression algorithm to write outside of the bounds of the allocated memory buffer and overwrite memory used elsewhere within the application.

Depending on how this other memory was used, an attacker could potentially use the buffer overflow vulnerability to overwrite key values that impacted the security of the application.  Alternatively, a malicious NSKnownKeysDictionary1 could be designed simply to crash the application.

Protecting Against Integer Overflows and Underflows

Integer overflows and underflow vulnerabilities exist when an application attempts to store a value in a variable where it doesn’t fit.  These vulnerabilities can be difficult to detect but can have a dramatic impact on an application’s usability and security.  For this reason, it is vital to check the value stored in variables before performing typecasting.

Sources

  1. https://bugs.chromium.org/p/project-zero/issues/detail?id=1884
  2. https://threatpost.com/apple-imessage-remote-attackersread-iphone-messages/146789/
  3. https://www.guru99.com/c-type-casting.html
Posted: December 7, 2020
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published. Required fields are marked *