Is divide-by-zero a security vulnerability?












2















Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?










share|improve this question























  • I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    1 hour ago
















2















Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?










share|improve this question























  • I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    1 hour ago














2












2








2








Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?










share|improve this question














Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?







exploit attacks vulnerability






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 6 hours ago









Gwangmu LeeGwangmu Lee

1113




1113













  • I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    1 hour ago



















  • I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    1 hour ago

















I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

– Ed Grimm
1 hour ago





I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

– Ed Grimm
1 hour ago










3 Answers
3






active

oldest

votes


















6














At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



int myFunction(int a, int b, SomeState state) {

state(UNINITIALIZED);
try {
state.something(a/b);
state(NORMAL);
}
catch () {
state.something(b/a);
state(INVERTED);
}
return retval;
}


This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






share|improve this answer































    4














    Division by zero is not inherently a security vulnerability.



    However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






    share|improve this answer































      3














      I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



      Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






      share|improve this answer























        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "162"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204669%2fis-divide-by-zero-a-security-vulnerability%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        6














        At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



        int myFunction(int a, int b, SomeState state) {

        state(UNINITIALIZED);
        try {
        state.something(a/b);
        state(NORMAL);
        }
        catch () {
        state.something(b/a);
        state(INVERTED);
        }
        return retval;
        }


        This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



        The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






        share|improve this answer




























          6














          At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



          int myFunction(int a, int b, SomeState state) {

          state(UNINITIALIZED);
          try {
          state.something(a/b);
          state(NORMAL);
          }
          catch () {
          state.something(b/a);
          state(INVERTED);
          }
          return retval;
          }


          This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



          The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






          share|improve this answer


























            6












            6








            6







            At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



            int myFunction(int a, int b, SomeState state) {

            state(UNINITIALIZED);
            try {
            state.something(a/b);
            state(NORMAL);
            }
            catch () {
            state.something(b/a);
            state(INVERTED);
            }
            return retval;
            }


            This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



            The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






            share|improve this answer













            At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



            int myFunction(int a, int b, SomeState state) {

            state(UNINITIALIZED);
            try {
            state.something(a/b);
            state(NORMAL);
            }
            catch () {
            state.something(b/a);
            state(INVERTED);
            }
            return retval;
            }


            This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



            The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 3 hours ago









            John DetersJohn Deters

            27.8k24191




            27.8k24191

























                4














                Division by zero is not inherently a security vulnerability.



                However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






                share|improve this answer




























                  4














                  Division by zero is not inherently a security vulnerability.



                  However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






                  share|improve this answer


























                    4












                    4








                    4







                    Division by zero is not inherently a security vulnerability.



                    However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






                    share|improve this answer













                    Division by zero is not inherently a security vulnerability.



                    However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 5 hours ago









                    duskwuffduskwuff

                    1,236410




                    1,236410























                        3














                        I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                        Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






                        share|improve this answer




























                          3














                          I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                          Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






                          share|improve this answer


























                            3












                            3








                            3







                            I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                            Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






                            share|improve this answer













                            I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                            Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 6 hours ago









                            securityOrangesecurityOrange

                            63215




                            63215






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Information Security Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204669%2fis-divide-by-zero-a-security-vulnerability%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                How to make a Squid Proxy server?

                                Is this a new Fibonacci Identity?

                                19世紀