Description
The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
Modes of Introduction:
Likelihood of Exploit:
Related Weaknesses
CWE-119
CWE-119
CWE-119
CWE-125
CWE-787
Consequences
Confidentiality: Read Memory
If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
Availability: DoS: Crash, Exit, or Restart
If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.
Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory
If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
Potential Mitigations
CVE References
- CVE-2007-5655
- message-passing framework interprets values in packets as pointers, causing a crash.
- CVE-2010-2299
- labeled as a “type confusion” issue, also referred to as a “stale pointer.” However, the bug ID says “contents are simply interpreted as a pointer… renderer ordinarily doesn’t supply this pointer directly”. The “handle” in the untrusted area is replaced in one function, but not another – thus also, effectively, exposure to wrong sphere (CWE-668).
- CVE-2009-1719
- Untrusted dereference using undocumented constructor.
- CVE-2009-1250
- An error code is incorrectly checked and interpreted as a pointer, leading to a crash.
- CVE-2009-0311
- An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.
- CVE-2010-1818
- Undocumented attribute in multimedia software allows “unmarshaling” of an untrusted pointer.
- CVE-2010-3189
- ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer.
- CVE-2010-1253
- Spreadsheet software treats certain record values that lead to “user-controlled pointer” (might be untrusted offset, not untrusted pointer).