CWE-805 – Buffer Access with Incorrect Length Value

Read Time:3 Minute, 18 Second

Description

The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

When the length value exceeds the size of the destination, a buffer overflow could occur.

Modes of Introduction:

– Implementation

Likelihood of Exploit: High

 

Related Weaknesses

CWE-119
CWE-119
CWE-119

 

Consequences

Integrity, Confidentiality, Availability: Read Memory, Modify Memory, Execute Unauthorized Code or Commands

Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. This can often be used to subvert any other security service.

Availability: Modify Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)

Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

 

Potential Mitigations

Phase: Requirements

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

This is not a complete solution, since many buffer overflows are not related to strings.

Phase: Build and Compilation

Effectiveness: Defense in Depth

Description: 

This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].

This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

CVE References

 

  • CVE-2011-1959
    • Chain: large length value causes buffer over-read (CWE-126)
  • CVE-2011-1848
    • Use of packet length field to make a calculation, then copy into a fixed-size buffer
  • CVE-2011-0105
    • Chain: retrieval of length value from an uninitialized memory location
  • CVE-2011-0606
    • Crafted length value in document reader leads to buffer overflow
  • CVE-2011-0651
    • SSL server overflow when the sum of multiple length fields exceeds a given value
  • CVE-2010-4156
    • Language interpreter API function doesn’t validate length argument, leading to information exposure