Have real exploits of arithmetic overflows happened?

Have real exploits of arithmetic overflows happened?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Have real exploits of arithmetic overflows happened? Clark L. Coleman 02-13-2007
Posted by Clark L. Coleman on February 13, 2007, 12:45 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Searching through security bulletins, you see many reports of buffer
overflow vulnerabilities, perhaps 10-15% that many format string
vulnerabilities, even fewer integer overflow and/or signedness
vulnerabilities, and even fewer double-free vulnerabilities.

These are all reported by security firms that were reviewing code, or
random open source code reviewers. What I am wondering is: Have there
actually been successful exploits of the more exotic vulnerabilities
(e.g. integer overflow or double-free), as opposed to just reports of
vulnerabilities?

In both my teaching and research I would like to comment on whether
anyone's system has ever really been damaged by an attacker using such
an exploit, as opposed to proof-of-concept reports.

Thanks for any pointers.

Clark Coleman
University of Virginia

Posted by Sebastian Gottschalk on February 13, 2007, 7:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Clark L. Coleman wrote:

> Have there actually been successful exploits of the more exotic
> vulnerabilities (e.g. integer overflow or double-free), as opposed to just
> reports of vulnerabilities?

One of the recent MS Word vulnerabilities is an often exploited integer
overflow.

Posted by Ertugrul Soeylemez on February 13, 2007, 8:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
clc5q@viper.cs.Virginia.EDU (Clark L. Coleman) (07-02-13 17:45:07):

> Searching through security bulletins, you see many reports of buffer
> overflow vulnerabilities, perhaps 10-15% that many format string
> vulnerabilities, even fewer integer overflow and/or signedness
> vulnerabilities, and even fewer double-free vulnerabilities.
>
> These are all reported by security firms that were reviewing code, or
> random open source code reviewers. What I am wondering is: Have there
> actually been successful exploits of the more exotic vulnerabilities
> (e.g. integer overflow or double-free), as opposed to just reports of
> vulnerabilities?
>
> In both my teaching and research I would like to comment on whether
> anyone's system has ever really been damaged by an attacker using such
> an exploit, as opposed to proof-of-concept reports.

Probably a lot of them have been exploited actively, but not necessarily
against large networks or well-known hosts (Google, Amazon, Ebay, ...).

I can't imagine that the TCP options bug in the Linux Netfilter wasn't
exploited somewhere in the wild. It was a signedness bug, which could
be exploited to drop the kernel into an endless loop.


Regards,
E.S.

Posted by Super Lemon on February 14, 2007, 12:35 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Clark L. Coleman wrote:
> Searching through security bulletins, you see many reports of buffer
> overflow vulnerabilities, perhaps 10-15% that many format string
> vulnerabilities, even fewer integer overflow and/or signedness
> vulnerabilities, and even fewer double-free vulnerabilities.
>
> These are all reported by security firms that were reviewing code, or
> random open source code reviewers. What I am wondering is: Have there
> actually been successful exploits of the more exotic vulnerabilities
> (e.g. integer overflow or double-free), as opposed to just reports of
> vulnerabilities?
>
> In both my teaching and research I would like to comment on whether
> anyone's system has ever really been damaged by an attacker using such
> an exploit, as opposed to proof-of-concept reports.
>
> Thanks for any pointers.
>
> Clark Coleman
> University of Virginia

The GDI+/WMF exploit from the end of 2004 was an Integer overflow although I've
seen it described as an underflow.

Similar ThreadsPosted
IIS6.0 exploits?? May 18, 2005, 4:00 pm
What ever happened to 'Tracker' October 14, 2005, 12:56 pm
How to tell a fake SSL certificate from a real one October 27, 2007, 5:45 pm
What are the real dangers of shared hosting ? May 8, 2004, 7:25 am
WWW/Internet 2007: Call for Papers (Vila Real, Portugal) April 20, 2007, 11:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy