Have real exploits of arithmetic overflows happened?

Have real exploits of arithmetic overflows happened?

am 13.02.2007 18:45:07 von clc5q

Searching through security bulletins, you see many reports of buffer
overflow vulnerabilities, perhaps 10-15% that many format string
vulnerabilities, even fewer integer overflow and/or signedness
vulnerabilities, and even fewer double-free vulnerabilities.

These are all reported by security firms that were reviewing code, or
random open source code reviewers. What I am wondering is: Have there
actually been successful exploits of the more exotic vulnerabilities
(e.g. integer overflow or double-free), as opposed to just reports of
vulnerabilities?

In both my teaching and research I would like to comment on whether
anyone's system has ever really been damaged by an attacker using such
an exploit, as opposed to proof-of-concept reports.

Thanks for any pointers.

Clark Coleman
University of Virginia

Re: Have real exploits of arithmetic overflows happened?

am 14.02.2007 01:48:35 von unknown

Post removed (X-No-Archive: yes)

Re: Have real exploits of arithmetic overflows happened?

am 14.02.2007 02:23:16 von Ertugrul Soeylemez

clc5q@viper.cs.Virginia.EDU (Clark L. Coleman) (07-02-13 17:45:07):

> Searching through security bulletins, you see many reports of buffer
> overflow vulnerabilities, perhaps 10-15% that many format string
> vulnerabilities, even fewer integer overflow and/or signedness
> vulnerabilities, and even fewer double-free vulnerabilities.
>
> These are all reported by security firms that were reviewing code, or
> random open source code reviewers. What I am wondering is: Have there
> actually been successful exploits of the more exotic vulnerabilities
> (e.g. integer overflow or double-free), as opposed to just reports of
> vulnerabilities?
>
> In both my teaching and research I would like to comment on whether
> anyone's system has ever really been damaged by an attacker using such
> an exploit, as opposed to proof-of-concept reports.

Probably a lot of them have been exploited actively, but not necessarily
against large networks or well-known hosts (Google, Amazon, Ebay, ...).

I can't imagine that the TCP options bug in the Linux Netfilter wasn't
exploited somewhere in the wild. It was a signedness bug, which could
be exploited to drop the kernel into an endless loop.


Regards,
E.S.

Re: Have real exploits of arithmetic overflows happened?

am 14.02.2007 06:35:44 von Super Lemon

Clark L. Coleman wrote:
> Searching through security bulletins, you see many reports of buffer
> overflow vulnerabilities, perhaps 10-15% that many format string
> vulnerabilities, even fewer integer overflow and/or signedness
> vulnerabilities, and even fewer double-free vulnerabilities.
>
> These are all reported by security firms that were reviewing code, or
> random open source code reviewers. What I am wondering is: Have there
> actually been successful exploits of the more exotic vulnerabilities
> (e.g. integer overflow or double-free), as opposed to just reports of
> vulnerabilities?
>
> In both my teaching and research I would like to comment on whether
> anyone's system has ever really been damaged by an attacker using such
> an exploit, as opposed to proof-of-concept reports.
>
> Thanks for any pointers.
>
> Clark Coleman
> University of Virginia

The GDI+/WMF exploit from the end of 2004 was an Integer overflow although I've
seen it described as an underflow.