Description
The software writes data past the end, or before the beginning, of the intended buffer.
Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
Modes of Introduction:
– Implementation
Likelihood of Exploit: High
Related Weaknesses
CWE-119
CWE-119
CWE-119
CWE-119
Consequences
Integrity, Availability: Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands
Potential Mitigations
Phase: Requirements
Effectiveness:
Description:
Phase: Architecture and Design
Effectiveness:
Description:
This is not a complete solution, since many buffer overflows are not related to strings.
Phase: Build and Compilation
Effectiveness: Defense in Depth
Description:
This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Implementation
Effectiveness:
Description:
Phase: Operation
Effectiveness: Defense in Depth
Description:
This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Operation
Effectiveness: Defense in Depth
Description:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].
This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Implementation
Effectiveness: Moderate
Description:
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131).
CVE References
- CVE-2020-0022
- chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787)
- CVE-2019-1010006
- Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787).
- CVE-2009-1532
- malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption
- CVE-2009-0269
- chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead.
- CVE-2002-2227
- Unchecked length of SSLv2 challenge value leads to buffer underflow.
- CVE-2007-4580
- Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130)
- CVE-2007-4268
- Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
- CVE-2009-2550
- Classic stack-based buffer overflow in media player using a long entry in a playlist
- CVE-2009-2403
- Heap-based buffer overflow in media player using a long entry in a playlist
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...