Introduction to Integer Overflows & Underflows

Integers

In computer science, an integer is a datum of integral data type, a data type that represents some range of mathematical integers. Integral data types may be of different sizes and may or may not be allowed to contain negative values. Integers are commonly represented in a computer as a group of binary digits (bits). The size of the grouping varies so the set of integer sizes available varies between different types of computers. Computer hardware, including virtual machines, nearly always provide a way to represent a processor register or memory address as an integer.

Integers are just regions of memory, since we also need to store negative numbers using only binary we must use Most Significant Bit (MSB) of a variable to determine the sign. If MSB is 1 it’s negative, if‘s 0 it’s positive.

Integer Types

Below you can see an example of C types, the storage size and expected value ranges. Other languages, architectures and operating systems have their own expectations and limitations on what can be stored and what types are available.

What is an Integer Overflow?

An Integer Overflow is the condition that occurs when the result of an arithmetic operation exceeds the maximum size of the integer type used to store it.

Let’s take the above C table as an example, the maximum value for int is 2,147,483,647 so if a value is larger than 2147483647 it will segfault.

What is an Integer Underflow?

An Integer Underflow is the condition that occurs when the result of an arithmetic operation is less than the minimum size of the integer type used to store it.

Security Impact

The impact is specific to the binary being exploited. Integer overflow and underflows on their own do not lead to arbitrary code execution but they might lead to stack or heap overflow conditions which may result in arbitrary code execution.

Most recent vulnerabilities result in Denial of Service

This is a nice example of an integer overflow remote exploit, I suggest you take time to read through write up and other issues like it…Offensive Security’s Exploit Database Archive
PHP 7.0.5 – ZipArchive::getFrom* Integer Overflow. CVE-2016-3078 . remote exploit for PHP platformwww.exploit-db.com

Other examples of impact may include:

  • eCommerce, when calculating price an integer overflow could be used to change total from a positive to a negative value, resulting in account credit for the attacker and delivery of the stolen goods.
  • Withdrawing 1 dollar from an account with a balance of 0 could cause an integer underflow and yield a new balance of 4,294,967,295.
  • A very large positive number in a bank transfer could be cast as a signed integer by a back-end system. In such case, the interpreted value could become a negative number and reverse the flow of money — from a victim’s account into the attacker’s.