Vulnerability Spotlight: Type confusion

What is type confusion exactly? And how can it be used to exploit programs? According to the CWE (Common Weakness Enumeration) "Type confusion is when: the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access."

C and C++ are common examples used because these languages do not have type checking. This allows attackers to potentially exploit type confusion within C/C++ programs, which can lead to code execution. Of course C and C++ are not the only examples, languages with dynamic typing generally (like Perl) have this issue.

C++ has 3 main Casting Operations:

1. Static Casting -> static_cast<ToClass>(object)
    - Class Hierarchy checked at compile time
    - Unsafe
2. Dynamic Casting -> dynamic_cast<ToClass>(Object)
    -Run-time check based on allocated type(vtable pointer)
    -Not used in performance critical code
    -Safe, but not used by everyone since it lowers performance
3. C-Styel Casting->(ToClass)(Object)
    -C-Style cast, no check for the object type a tall
    -Unsafe

The take away from these casting operations is that there is a safe way to implement casting within C++, but because it's at the cost of performance many people choose not to do so. 

A type confusion bug arises from illegal down-casts. Basically within object-orientated programing you can have what you would call a "Parent" class and subclasses for example "Child 1, and Child 2". Both Child 1 and Child 2 are a subclass of Parent, but they are not equal to each other. For example: Child 1 is not a Child 2. However, in the case of C++ this can actually be an issue since there is no checking. 

The biggest concern with this is that it can lead to remote code/arbitrary code execution. Quite a few of these have been demonstrated through Chrome/Chromium. See here for one of them: https://github.blog/2022-06-29-the-chromium-super-inline-cache-type-confusion/ 

That's all for now! 

Thanks for taking the time to read this. I hope you have a great day. :) 
If you would like to read a more in depth post about type confusion this paper is a good one: https://nebelwelt.net/files/18SyScan360-presentation.pdf and the youtube video as well. https://www.youtube.com/watch?v=jbglFfkRYQs&t=138s  

Have a great week! <3 Blackcatt

Comments

Post a Comment

Popular posts from this blog

Post SOTB and Happy New Year :)

Image
 If you missed out on SOTB that really stinks, but also I understand. Shell on the Border happened during new years and man was it an amazing experience. I couldn't attend the speaker part but the ctf was fun. It was at an arcade that had major Mr. Robot vibes. A truly different and awesome experience in the unlikely city of Fort Smith, Arkansas. Want to make a huge shout out Shyft, MoonKaptain, Fie, FractumSeraph, Allee, Fort Smith Arcade, and HackNWA (if I forgot you I am sorry it's not on purpose). All of y'all made this an amazing experience and the work we put it in was definitely seen. I am proud to be apart of FS2600 and I am grateful for the opportunity to be able to help, and to even do some of my first challenges.  I wanted to go over my challenges that I did, just 3, for those that are curious. First of all this being my first time making CTF challenges there were some mistakes on my part. I had made these challenges with a huge assumption of prerequisite knowled
Read more

Arkansas Hackers: More than meets the eye

      What do you think of when you think of Arkansas? Walmart? Bill Clinton? Barefooted hillbillies? Now, what do you think of when you think of a hacker? I am willing to bet that most of you reading this probably don't think the two go together at all. But you'll be surprised to find out that there is a large group of Cybersecurity experts and hobbyists with all kinds of interests. And so hopefully by the end of this post you will see just how expansive Arkansas Hackers is!  Last week from Friday the 6th to Sunday the 8th I had the privilege of being able to attend a popular hacking CTF that goes by the name of JOLT. For those that may not know, a hacking CTF is basically where teams of hackers come together to try and get flags that are behind challenges. These challenges are wide-ranging and cover all types of hacking areas. Other than the bragging rights there are generally rewards for the top 3 winners. JOLT is located in Little Rock, Arkansas and is headed by members of
Read more