I would like to know how a hacker can use a division by zero exception to get access to a (web) server and\or elevate his privileges and get root access.
Printable View
I would like to know how a hacker can use a division by zero exception to get access to a (web) server and\or elevate his privileges and get root access.
Its just an error thrown up when a program tries to divide non-positive numbers.
Two words: "crappy programming" :DQuote:
I would like to know how a hacker can use a division by zero exception to get access to a (web) server and\or elevate his privileges and get root access.
Mathematical conventions aside, division by zero will produce infinity as a result, and any attempt to calculate infinity will be an effective Denial of Service attack. :eek:
Your question, as I see it, is really about exception handling in general, of which division by zero is just an example.
Basically it is all about what the system does when it encounters an error. If it skips that instruction and goes on to process the next and subsequent instructions with system privileges, I think you can see where that could lead?
And whilst I'm here.............welcome to AO :)
He isn't talking about executables. Web applications would just throw up response codes.Quote:
Denial of Service attack.
Um... a process is given a set of privileges the moment its run. Secondly, dividing by zero won't cause a program to call and jump random addresses.Quote:
If it skips that instruction and goes on to process the next and subsequent instructions with system privileges, I think you can see where that could lead?
Yes I found that somewhat confusing as well. Division by zero implies an executable. Like yourself, I would expect a web application to simply validate a field and produce a code............in this case an invalid character one......then wait for its correction or the timeout threshold if one is set.Quote:
He isn't talking about executables. Web applications would just throw up response codes.
Off the top of my head I cannot envisage a situation where an attacker would know that a division calculation was going to take place, and be able to insert what should fundamentally be rejected as an invalid input.
Yes, in this case I am assuming that it is System, or it would not be possible to elevate privileges?Quote:
Um... a process is given a set of privileges the moment its run.
I wasn't thinking of random, but sequential, with the next instruction being malicious or flawed.Quote:
Secondly, dividing by zero won't cause a program to call and jump random addresses.
I really don't see why this should be web-specific?
You mean "ret" which is at the end of almost every procedure that's ever been compiled? Or some type of elseif statement? For some reason I really don't see that as something malicious.
I would imagine that the mishandling of the exception would have to permit the running of arbitrary code with the rights of current user. Personally I can't recall of an example that would apply to a web server, although I am no expert on web servers.
It is the kind of thing I would normally associate with client based applications software being served with a specially crafted/malformed item.
The standard MS comment goes something like: "An attacker that successfully exploited this vulnerability would be able to execute arbitrary code with the privileges of the current user."
Start Here (stolen from the interwebz)
Note, please DO NOT ATTEMPT if you are the Real Chuck Norris. (we really don't want to see what happens when you actually divide infinity)Code:1 // Fig. 13.1: DivideByZeroNoExceptionHandling.java
2 // An application that attempts to divide by zero.
3 import java.util.Scanner;
4
5 public class DivideByZeroNoExceptionHandling
6 {
7 // demonstrates throwing an exception when a divide-by-zero occurs
8 public static int quotient( int numerator, int denominator )
9 {
10 return numerator / denominator; // possible division by zero
11 } // end method quotient
12
13 public static void main( String args[] )
14 {
15 Scanner scanner = new Scanner( System.in ); // scanner for input
16
17 System.out.print( "Please enter an integer numerator: " );
18 int numerator = scanner.nextInt();
19 System.out.print( "Please enter an integer denominator: " );
20 int denominator = scanner.nextInt();
21
22 int result = quotient( numerator, denominator );
23 System.out.printf(
24 "\nResult: %d / %d = %d\n", numerator, denominator, result );
25 } // end main
26 } // end class DivideByZeroNoExceptionHandling
So you truely are confusing this with buffer overflows? Seriously?!Quote:
It is the kind of thing I would normally associate with client based applications software being served with a specially crafted/malformed item.
The standard MS comment goes something like: "An attacker that successfully exploited this vulnerability would be able to execute arbitrary code with the privileges of the current user."
My question should be more general - exceptions that a division by zero. I guess it was just an example. When an exception is thrown and application doesn't not catch it, the web server will throw the exception back to the user. It may contain sensitive information that can be used to exploit the server.
I'm trying to figure out if there's a way for a hacker to use an unhanded exception for elevating his privileges and gain access to restricted pages.