Description
The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
When the length value exceeds the size of the destination, a buffer overflow could occur.
Modes of Introduction:
– Implementation
Likelihood of Exploit: High
Related Weaknesses
Consequences
Integrity, Confidentiality, Availability: Read Memory, Modify Memory, Execute Unauthorized Code or Commands
Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. This can often be used to subvert any other security service.
Availability: Modify Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)
Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Potential Mitigations
Phase: Requirements
Effectiveness:
Description:
Phase: Architecture and Design
Effectiveness:
Description:
This is not a complete solution, since many buffer overflows are not related to strings.
Phase: Build and Compilation
Effectiveness: Defense in Depth
Description:
This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Implementation
Effectiveness:
Description:
Phase: Architecture and Design
Effectiveness:
Description:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phase: Operation
Effectiveness: Defense in Depth
Description:
This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Operation
Effectiveness: Defense in Depth
Description:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].
This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Architecture and Design, Operation
Effectiveness:
Description:
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Phase: Architecture and Design, Operation
Effectiveness: Limited
Description:
The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
CVE References
- CVE-2011-1959
- Chain: large length value causes buffer over-read (CWE-126)
- CVE-2011-1848
- Use of packet length field to make a calculation, then copy into a fixed-size buffer
- CVE-2011-0105
- Chain: retrieval of length value from an uninitialized memory location
- CVE-2011-0606
- Crafted length value in document reader leads to buffer overflow
- CVE-2011-0651
- SSL server overflow when the sum of multiple length fields exceeds a given value
- CVE-2010-4156
- Language interpreter API function doesn’t validate length argument, leading to information exposure