SGIA Eagles' Nest: June 2020

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a allq 0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi 0xfffffffffffefffe -65538

The implmementation of operator ins in those functions below:

(gdb) bt
#0 0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1 0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2 0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3 0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4 0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5 0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6 0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29 cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)

What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.

So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

Related word

OWASP
Connector

August 2019

Communications | Projects | Events | Community | Membership

COMMUNICATIONS

Letter from the Vice-Chairman:

Dear OWASP Community,

I hope you are enjoying your summer, mines been pretty busy, getting married, traveling to Vegas and the board elections. August has been quite a busy month for the foundation. Attending BlackHat and DefCon as part of our outreach program, the upcoming elections ( I have to add, there were some really good questions from the community) and planning for the next two Global AppSec Conferences in September, it's been crazy. We the board would like to thank the staff and without naming any names (Jon McCoy) for their efforts during BlackHat and DefCon. I was there, on the stand, he did a good job of representing our community.

Two days prior to BlackHat and Defcon the board met as part of our second face to face meeting of the year. This was two days well spent, collaborating on some of the burning topics, but also how to move forward. At the beginning of the year, we set out our strategic goals. Even though these goals are part of our everyday OWASP life we decided to put a name against them to champion them, below are our goals and who will be championing them going forward:

Marketing - Chenxi
Membership - Ofer
Developer Outreach - Martin
Project Focus - Sherif
Improve Finances - Gary
Perception - Martin
Process Improvement - Owen
Consistent ED - Done!
Community Empowerment - Richard

If you are interested in getting involved in or would like to hear more about any of these strategic goals, please reach out to the relevant name above.

Some of the Global board members will be attending both our Global AppSec Conference in Amsterdam but also in DC. We will hold our next public board meeting during the Global AppSec Conference in Amsterdam if you haven't already done so I would encourage you to both attend and spread the word of the conference. There are some great keynotes/ speakers and trainers lined up.

Regards
Owen Pendlebury
Vice-Chairman of the OWASP Global Board of Directors

DC Registration Now Open Amsterdam Registration Now Open

Congratulations to the Global AppSec Tel Aviv 2019
Capture the Flag Winners

For two full days, 24 competitors from around the world attacked various challenges that were present within the CTF activity held at Global AppSec Tel Aviv 2019. The competition began with a handful of competitors running neck and neck with two competitors, 4lemon and vasya, at the top, slowly gathering more points in their race hoping to win it all. At the last moment, they were overtaken by Aleph who swooped in and took away the victory for himself with a total score of 29 points!

We would like to thank all of the individuals who participated and once again, congratulations to the top 3.
1st Place Winner: Aleph (29 points)
2nd Place: 4lemon (24 points)
3rd Place: vasya (24 points)

EVENTS

You may also be interested in one of our other affiliated events:

REGIONAL EVENTS

Event	Date	Location
OWASP Portland Training Day	September 25, 2019	Portland, OR
OWASP Italy Day Udine 2019	September 27, 2019	Udine, Italy
OWASP Poland Day	October 16,2019	Wroclaw, Poland
BASC 2019 (Boston Application Security Conference)	October 19,2019	Burlington, MA
LASCON X	October 24 - 25,2019	Austin, TX
OWASP AppSec Day 2019	Oct 30 - Nov 1, 2019	Melbourne, Australia
German OWASP Day 2019	December 9 - 10, 2019	Karlsruhe, Germany
AppSec California 2020	January 21 - 24. 2020	Santa Monica, CA
OWASP New Zealand Day 2020	February 20 - 21, 2020	Auckland, New Zealand

PARTNER AND PROMOTIONAL EVENTS

Event	Date	Location
it-sa-IT Security Expo and Congress	October 8 - 10, 2019	Germany

PROJECTS

Project Review Results from Global AppSec - Tel Aviv 2019
The results of the project reviews from Global AppSec Tel Aviv 2019 are in! The following projects have graduated to the indicated status:

Project	Leaders	Level
Mobile Security Testing Guide	Jeroen Willemsen, Sven Schleier	Flagship
Cheat Sheet Series	Jim Manico, Dominique Righetto	Flagship
Amass	Jeff Foley	Lab

Please congratulate the leaders and their teams for their achievements!
If your project was up for review at Global AppSec Tel Aviv 2019 and it is not on this list, it just means that the project did not yet receive enough reviews. And, if you are interested in helping review projects, send me an email (harold.blankenship@owasp.com).

Project Showcases at the Upcoming Global AppSecs
The Project Showcases for Global Appsec DC 2019 and Global AppSec Amsterdam 2019 are finalized. For a complete schedule, see the following links:

Global AppSec - DC 2019 Project Showcase
Global AppSec - Amsterdam 2019 Project Showcase

Google Summer of Code Update
Google Summer of Code is now in the final stages. Final Evaluations are due by September 2nd.

The Mentor Summit will be in Munich this year; congratulate the OWASP mentors who were picked by raffle to attend and represent OWASP: Azzeddine Ramrami & Ali Razmjoo.

Google Summer of Code Update

THE OWASP FOUNDATION HAS SELECTED THE TECHNICAL WRITER FOR GOOGLE SEASON OF DOCS by Fabio Cerullo

The OWASP Foundation has been accepted as the organization for the Google Seasons of Docs, a project whose goals are to give technical writers an opportunity to gain experience in contributing to open source projects and to give open-source projects an opportunity to engage the technical writing community.

During the program, technical writers spend a few months working closely with an open-source community. They bring their technical writing expertise to the project's documentation, and at the same time learn about open source and new technologies.

The open-source projects work with the technical writers to improve the project's documentation and processes. Together they may choose to build a new documentation set, or redesign the existing docs, or improve and document the open-source community's contribution procedures and onboarding experience. Together, we raise public awareness of open source docs, of technical writing, and of how we can work together to the benefit of the global open source community.

After a careful review and selection process, the OWASP Foundation has picked the primary technical writer who will work along the OWASP ZAP Team for the next 3 months to create the API documentation of this flagship project.

Congratulations to Nirojan Selvanathan!

Please refer to the linked document where you could look at the deliverables and work execution plan.
https://drive.google.com/open?id=1kwxAzaqSuvWhis9Xn1VKNJTJZPM2UV20