Vulnerability Spotlight: Type confusion

What is type confusion exactly? And how can it be used to exploit programs? According to the CWE (Common Weakness Enumeration) "Type confusion is when: the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access."

C and C++ are common examples used because these languages do not have type checking. This allows attackers to potentially exploit type confusion within C/C++ programs, which can lead to code execution. Of course C and C++ are not the only examples, languages with dynamic typing generally (like Perl) have this issue.

C++ has 3 main Casting Operations:

1. Static Casting -> static_cast<ToClass>(object)
    - Class Hierarchy checked at compile time
    - Unsafe
2. Dynamic Casting -> dynamic_cast<ToClass>(Object)
    -Run-time check based on allocated type(vtable pointer)
    -Not used in performance critical code
    -Safe, but not used by everyone since it lowers performance
3. C-Styel Casting->(ToClass)(Object)
    -C-Style cast, no check for the object type a tall
    -Unsafe

The take away from these casting operations is that there is a safe way to implement casting within C++, but because it's at the cost of performance many people choose not to do so. 

A type confusion bug arises from illegal down-casts. Basically within object-orientated programing you can have what you would call a "Parent" class and subclasses for example "Child 1, and Child 2". Both Child 1 and Child 2 are a subclass of Parent, but they are not equal to each other. For example: Child 1 is not a Child 2. However, in the case of C++ this can actually be an issue since there is no checking. 

The biggest concern with this is that it can lead to remote code/arbitrary code execution. Quite a few of these have been demonstrated through Chrome/Chromium. See here for one of them: https://github.blog/2022-06-29-the-chromium-super-inline-cache-type-confusion/ 

That's all for now! 

Thanks for taking the time to read this. I hope you have a great day. :) 
If you would like to read a more in depth post about type confusion this paper is a good one: https://nebelwelt.net/files/18SyScan360-presentation.pdf and the youtube video as well. https://www.youtube.com/watch?v=jbglFfkRYQs&t=138s  

Have a great week! <3 Blackcatt

Comments

Post a Comment

Popular posts from this blog

DEFCON 32: My review as a first time attendee.

 Since the first time I heard about DEFCON (2018, probably before) I have wanted to attend. Due to time and mainly money, I haven't been able to up until now. Thankfully, my job (thank you very much!) paid for most everything an I was able to go this year. I am going to talk about my experience there and some tips for next year if you decide to (hopefully) go! Let's start with the location. I hadn't been to the previous DEFCONs so I didn't know what it was like but this year it was held in the west wing part of the Las Vegas Convention Center. This location is right by multiple hotels (mine was about 10-15 min walk which wasn't too bad), and close to the strip. This center is huge and we were *just* in the west wing part of it. What I enjoyed most about this honestly was the central location. I can imagine walking across multiple hotels would get a bit tiresome. Everything was relatively close and about a 5 minute walk, or 30 second escalator ride. There were... A L...
Read more

Steghide: An introduction

Image
 JOLT, a hacking CTF located in Little Rock, Arkansas. JOLT 2022 was where I first was introduced to steghide. Steghide is a tool associated with Steganography which according to wikipedia is: ""the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection". So basically hiding information within a picture. And of course if you can hide information in there you can extract information, and hide information that is dangerous." On the kali linux steghide page it says: "Steghide is steganography program which hides bits of a data file in some of the least significant bits of another file in such a way that the existence of the data file is not visible and cannot be proven. Steghide is designed to be portable and configurable and features hiding data in bmp, jpeg, wav and au files, blowfish encryption, MD5 hashing of passphrases to blowfish keys, and pseud...
Read more