Tag Archives: Untrusted Pointer Dereference

CWE-822 – Untrusted Pointer Dereference

Read Time:1 Minute, 38 Second

Description

The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

CVE References

 

  • CVE-2007-5655
    • message-passing framework interprets values in packets as pointers, causing a crash.
  • CVE-2010-2299
    • labeled as a “type confusion” issue, also referred to as a “stale pointer.” However, the bug ID says “contents are simply interpreted as a pointer… renderer ordinarily doesn’t supply this pointer directly”. The “handle” in the untrusted area is replaced in one function, but not another – thus also, effectively, exposure to wrong sphere (CWE-668).
  • CVE-2009-1719
    • Untrusted dereference using undocumented constructor.
  • CVE-2009-1250
    • An error code is incorrectly checked and interpreted as a pointer, leading to a crash.
  • CVE-2009-0311
    • An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.
  • CVE-2010-1818
    • Undocumented attribute in multimedia software allows “unmarshaling” of an untrusted pointer.
  • CVE-2010-3189
    • ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer.
  • CVE-2010-1253
    • Spreadsheet software treats certain record values that lead to “user-controlled pointer” (might be untrusted offset, not untrusted pointer).