Buffer Underwrite ('Buffer Underflow')| ID: 124 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software writes to a buffer using an index or pointer that
references a memory location prior to the beginning of the buffer.
Extended DescriptionThis typically occurs when a pointer or its index is decremented to a
position before the buffer, when pointer arithmetic results in a position
before the beginning of the valid memory location, or when a negative index
is used.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityAvailability | Modify memoryDoS: crash / exit /
restart | Out of bounds memory access will very likely result in the corruption
of relevant memory, and perhaps instructions, possibly leading to a
crash. |
| IntegrityConfidentialityAvailabilityAccess_ControlOther | Execute unauthorized code or
commandsModify memoryBypass protection
mechanismOther | If the corrupted memory can be effectively controlled, it may be
possible to execute arbitrary code. If the corrupted memory is data
rather than instructions, the system will continue to function with
improper changes, possibly in violation of an implicit or explicit
policy. The consequences would only be limited by how the affected data
is used, such as an adjacent memory location that is used to specify
whether the user has special privileges. |
| Access_ControlOther | Bypass protection
mechanismOther | When the consequence is arbitrary code execution, this can often be
used to subvert any other security service. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Requirements specification: The choice could be made to use a language
that is not susceptible to these issues. | | |
| Implementation | | Sanity checks should be performed on all calculated values used as
index or for pointer arithmetic. | | |
RelationshipsThis could be resultant from several errors, including a bad offset or an
array index that decrements before the beginning of the buffer (see
CWE-129).
| Related CWE | Type | View | Chain |
|---|
| CWE-124 ChildOf CWE-890 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following C/C++ example, a utility function is used to trim
trailing whitespace from a character string. The function copies the input
string to a local character string and uses a while statement to remove the
trailing whitespace by moving backward through the string and overwriting
whitespace with a NUL character. (Demonstrative Example Id DX-87)
- The following is an example of code that may result in a buffer
underwrite, if find() returns a negative value to indicate that ch is not
found in srcBuf: (Demonstrative Example Id DX-88)
Observed Examples
- CVE-2002-2227 : Unchecked length of SSLv2 challenge value leads to buffer underflow.
- CVE-2007-4580 : Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130)
- CVE-2007-1584 : Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character.
- CVE-2007-0886 : Buffer underflow resultant from encoded data that triggers an integer overflow.
- CVE-2006-6171 : Product sets an incorrect buffer size limit, leading to "off-by-two" buffer underflow.
- CVE-2006-4024 : Negative value is used in a memcpy() operation, leading to buffer underflow.
- CVE-2004-2620 : Buffer underflow due to mishandled special characters
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | UNDER - Boundary beginning violation ('buffer
underflow'?) | |
| CLASP | | Buffer underwrite | |
References:
- .Buffer UNDERFLOWS: What do you know about it?. Vuln-Dev Mailing List. 2004-01-10.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 5: Buffer Overruns." Page 89'. Published on 2010.
