Division by zero exception

[solarize]

I would like to know how a hacker can use a division by zero exception to get access to a (web) server and\or elevate his privileges and get root access.

[The-Spec]

Its just an error thrown up when a program tries to divide non-positive numbers.

[nihil]

I would like to know how a hacker can use a division by zero exception to get access to a (web) server and\or elevate his privileges and get root access.

Two words: "crappy programming"

Mathematical conventions aside, division by zero will produce infinity as a result, and any attempt to calculate infinity will be an effective Denial of Service attack.

Your question, as I see it, is really about exception handling in general, of which division by zero is just an example.

Basically it is all about what the system does when it encounters an error. If it skips that instruction and goes on to process the next and subsequent instructions with system privileges, I think you can see where that could lead?

And whilst I'm here.............welcome to AO

[The-Spec]

Denial of Service attack.

He isn't talking about executables. Web applications would just throw up response codes.

If it skips that instruction and goes on to process the next and subsequent instructions with system privileges, I think you can see where that could lead?

Um... a process is given a set of privileges the moment its run. Secondly, dividing by zero won't cause a program to call and jump random addresses.

[nihil]

He isn't talking about executables. Web applications would just throw up response codes.

Yes I found that somewhat confusing as well. Division by zero implies an executable. Like yourself, I would expect a web application to simply validate a field and produce a code............in this case an invalid character one......then wait for its correction or the timeout threshold if one is set.

Off the top of my head I cannot envisage a situation where an attacker would know that a division calculation was going to take place, and be able to insert what should fundamentally be rejected as an invalid input.

Um... a process is given a set of privileges the moment its run.

Yes, in this case I am assuming that it is System, or it would not be possible to elevate privileges?

Secondly, dividing by zero won't cause a program to call and jump random addresses.

I wasn't thinking of random, but sequential, with the next instruction being malicious or flawed.

I really don't see why this should be web-specific?

[The-Spec]

You mean "ret" which is at the end of almost every procedure that's ever been compiled? Or some type of elseif statement? For some reason I really don't see that as something malicious.

[nihil]

I would imagine that the mishandling of the exception would have to permit the running of arbitrary code with the rights of current user. Personally I can't recall of an example that would apply to a web server, although I am no expert on web servers.

It is the kind of thing I would normally associate with client based applications software being served with a specially crafted/malformed item.

The standard MS comment goes something like: "An attacker that successfully exploited this vulnerability would be able to execute arbitrary code with the privileges of the current user."

[dinowuff]

Start Here (stolen from the interwebz)

Code:

   1  // Fig. 13.1: DivideByZeroNoExceptionHandling.java
   2  // An application that attempts to divide by zero.
   3  import java.util.Scanner;
   4  
   5  public class DivideByZeroNoExceptionHandling
   6  {
   7     // demonstrates throwing an exception when a divide-by-zero occurs
   8     public static int quotient( int numerator, int denominator )
   9     {
  10        return numerator / denominator; // possible division by zero
  11     } // end method quotient
  12  
  13     public static void main( String args[] )
  14     {
  15        Scanner scanner = new Scanner( System.in ); // scanner for input
  16  
  17        System.out.print( "Please enter an integer numerator: " );
  18        int numerator = scanner.nextInt();
  19        System.out.print( "Please enter an integer denominator: " );
  20        int denominator = scanner.nextInt();
  21  
  22        int result = quotient( numerator, denominator );
  23        System.out.printf( 
  24           "\nResult: %d / %d = %d\n", numerator, denominator, result );
  25     } // end main
  26  } // end class DivideByZeroNoExceptionHandling

Note, please DO NOT ATTEMPT if you are the Real Chuck Norris. (we really don't want to see what happens when you actually divide infinity)

[The-Spec]

It is the kind of thing I would normally associate with client based applications software being served with a specially crafted/malformed item.

The standard MS comment goes something like: "An attacker that successfully exploited this vulnerability would be able to execute arbitrary code with the privileges of the current user."

So you truely are confusing this with buffer overflows? Seriously?!

[solarize]

My question should be more general - exceptions that a division by zero. I guess it was just an example. When an exception is thrown and application doesn't not catch it, the web server will throw the exception back to the user. It may contain sensitive information that can be used to exploit the server.

I'm trying to figure out if there's a way for a hacker to use an unhanded exception for elevating his privileges and gain access to restricted pages.