Arbitrary write vulnerability without buffer overflow
Question
I was diving into memory vulnerabilities (C/C++) and I am interested in knowing what kind of vulnerabilities allow an arbitrary memory write (or read) without exploiting a buffer overflow (or overread). The ultimate goal would be to reach an arbitrary location (target) exploiting a memory vulnerability (source), without accessing the memory between the target and the source. It doesn't matter if the location can be choosen, I'm only interested in the ability of reaching a distant location.
I know a possible example would be the use of the %n placeholder in the printf functions and similar (format string vulnerability). Are there any other?
I also know that corrupting an index somehow (maybe integer overflow) might lead to such an arbitrary write, like in the following example:
#include <stdlib.h>
void main(int argc, char ** argv){
int c = atoi(*(argv+1)); //get value from input
char buf[40000];
if(c>39999) return 1; //check boundary for buffer
short ind = c; //wrong conversion --> integer overflow
buf[ind] = 'c'; //Write to arbitrary location (negative index)
}
However, I wonder if there are more classical examples of such vulnerabilities. Thank you for your help!
1 answers
solution1
1 2022-01-05 16:15:51
Simply set a pointer to an arbitrary address and indirect through it.
#include <stdlib.h>
void main(int argc, char ** argv){
char *c = (char *)strtoul(*(argv+1), NULL, 0); //get value from input
*c = 'c';
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.