SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CWE

Heap-based Buffer Overflow

ID: 122		Date: (C)2012-05-14 (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Variant

Description

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Likelihood of Exploit: High to Very High

Applicable Platforms
Language: C
Language: C++

Time Of Introduction

Architecture and Design
Implementation

Related Attack Patterns

CAPEC-92

Common Consequences

Scope	Technical Impact	Notes
Availability	DoS: crash / exit / restart DoS: resource consumption (CPU) DoS: resource consumption (memory)	Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Integrity Confidentiality Availability Access_Control	Execute unauthorized code or commands Bypass protection mechanism Modify memory	Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.
Integrity Confidentiality Availability Access_Control Other	Execute unauthorized code or commands Bypass protection mechanism Other	When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
		Pre-design: Use a language or compiler that performs automatic bounds checking.
Architecture and Design		Use an abstraction library to abstract away risky APIs. Not a complete solution.
		Pre-design through Build: Canary style bounds checking, library changes which ensure the validity of chunk data, and other such fixes are possible, but should not be relied upon.
		Implement and perform bounds checking on input.
		Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
		Operational: Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.

Relationships
Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.

Related CWE	Type	View	Chain
CWE-122 ChildOf CWE-890	Category	CWE-888

Demonstrative Examples (Details)

Observed Examples

CVE-2007-4268 : Chain: integer signedness passes signed comparison, leads to heap overflow

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
A buffer overflow where the buffer from the Buffer Write Operation is dynamically allocated

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
CLASP		Heap overflow

References:

M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Heap Overruns" Page 138'. Published on 2002.
Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 5: Buffer Overruns." Page 89'. Published on 2010.
Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 3, "Nonexecutable Stack", Page 76.'. Published on 2006.
Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 5, "Protection Mechanisms", Page 189.'. Published on 2006.


30479



423868



248392



909



195452



282