Tag Archives: CVE-2018-10887

CWE-190 – Integer Overflow or Wraparound

Read Time:3 Minute, 26 Second

Description

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-682
CWE-682
CWE-20
CWE-119

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: Modify Memory

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase: Requirements

Description: 

Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.

Phase: Requirements

Description: 

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Phase: Architecture and Design

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Implementation

Description: 

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

CVE References

  • CVE-2018-10887
    • Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
  • CVE-2019-1010006
    • Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787).
  • CVE-2005-1513
    • Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology.
  • CVE-2002-0391
    • Integer overflow via a large number of arguments.
  • CVE-2002-0639
    • Integer overflow in OpenSSH as listed in the demonstrative examples.
  • CVE-2005-1141
    • Image with large width and height leads to integer overflow.
  • CVE-2005-0102
    • Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.
  • CVE-2004-2013
    • Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.
  • CVE-2017-1000121
    • chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).
  • CVE-2013-1591
    • Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.

CWE-194 – Unexpected Sign Extension

Read Time:1 Minute, 49 Second

Description

The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-681
CWE-681
CWE-681

 

Consequences

Integrity, Confidentiality, Availability, Other: Read Memory, Modify Memory, Other

When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application’s allowable range.

 

Potential Mitigations

Phase: Implementation

Description: 

Avoid using signed variables if you don’t need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

CVE References

  • CVE-2018-10887
    • Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
  • CVE-1999-0234
    • Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
  • CVE-2003-0161
    • Product uses “char” type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
  • CVE-2007-4988
    • chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
  • CVE-2006-1834
    • chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
  • CVE-2005-2753
    • Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.