Description
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
Consequences
Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory
If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer’s worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data — such as a flag indicating whether the user is an administrator.
Availability, Confidentiality: Read Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Confidentiality: Read Memory
In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
Potential Mitigations
Phase: Requirements
Description:
Phase: Architecture and Design
Description:
This is not a complete solution, since many buffer overflows are not related to strings.
Phase: Build and Compilation
Effectiveness: Defense in Depth
Description:
This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Implementation
Description:
Phase: Operation
Effectiveness: Defense in Depth
Description:
This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Operation
Effectiveness: Defense in Depth
Description:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].
This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Implementation
Effectiveness: Moderate
Description:
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131).
CVE References
- CVE-2009-2550
- Classic stack-based buffer overflow in media player using a long entry in a playlist
- CVE-2009-2403
- Heap-based buffer overflow in media player using a long entry in a playlist
- CVE-2009-0689
- large precision value in a format string triggers overflow
- CVE-2009-0690
- negative offset value leads to out-of-bounds read
- CVE-2009-1532
- malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption
- CVE-2009-1528
- chain: lack of synchronization leads to memory corruption
- CVE-2021-29529
- Chain: machine-learning product can have a heap-based
buffer overflow (CWE-122) when some integer-oriented bounds are
calculated by using ceiling() and floor() on floating point values
(CWE-1339)
- Chain: machine-learning product can have a heap-based
- CVE-2009-0558
- attacker-controlled array index leads to code execution
- CVE-2009-0269
- chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead.
- CVE-2009-0566
- chain: incorrect calculations lead to incorrect pointer dereference and memory corruption
- CVE-2009-1350
- product accepts crafted messages that lead to a dereference of an arbitrary pointer
- CVE-2009-0191
- chain: malformed input causes dereference of uninitialized memory
- CVE-2008-4113
- OS kernel trusts userland-supplied length value, allowing reading of sensitive information
- CVE-2005-1513
- Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology.
- CVE-2003-0542
- buffer overflow involving a regular expression with a large number of captures
- CVE-2017-1000121
- chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...