Improper Null Termination| ID: 170 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software does not terminate or incorrectly terminates a
string or array with a null character or equivalent
terminator.
Extended DescriptionNull termination errors frequently occur in two different ways. An
off-by-one error could cause a null to be written out of bounds, leading to
an overflow. Or, a program could use a strncpy() function call incorrectly,
which prevents a null terminator from being added at all. Other scenarios
are possible.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityIntegrityAvailability | Read memoryExecute unauthorized code or
commands | The case of an omitted null character is the most dangerous of the
possible issues. This will almost certainly result in information
disclosure, and possibly a buffer overflow condition, which may be
exploited to execute arbitrary code. |
| ConfidentialityIntegrityAvailability | DoS: crash / exit /
restartRead memoryDoS: resource consumption
(CPU)DoS: resource consumption
(memory) | If a null character is omitted from a string, then most string-copying
functions will read data until they locate a null character, even
outside of the intended boundaries of the string. This could: |
| IntegrityAvailability | Modify memoryDoS: crash / exit /
restart | Misplaced null characters may result in any number of security
problems. The biggest issue is a subset of buffer overflow, and
write-what-where conditions, where data corruption occurs from the
writing of a null character over valid data, or even instructions. A
randomly placed null character may put the system into an undefined
state, and therefore make it prone to crashing. A misplaced null
character may corrupt other data in memory. |
| IntegrityConfidentialityAvailabilityAccess_ControlOther | Alter execution
logicExecute unauthorized code or
commands | Should the null character corrupt the process flow, or affect a flag
controlling access, it may lead to logical errors which allow for the
execution of arbitrary code. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Requirements | | Use a language that is not susceptible to these issues. However, be
careful of null byte interaction errors (CWE-626) with lower-level
constructs that may be written in a language that is susceptible. | | |
| Implementation | | Ensure that all string functions used are understood fully as to how
they append null characters. Also, be wary of off-by-one errors when
appending nulls to the end of strings. | | |
| Implementation | | If performance constraints permit, special code can be added that
validates null-termination of string buffers, this is a rather naive and
error-prone solution. | | |
| Implementation | | Switch to bounded string manipulation functions. Inspect buffer
lengths involved in the buffer overrun trace reported with the
defect. | | |
| Implementation | | Add code that fills buffers with nulls (however, the length of buffers
still needs to be inspected, to ensure that the non null-terminated
string is not written at the physical end of the buffer). | | |
RelationshipsFactors: this is usually resultant from other weaknesses such as
off-by-one errors, but it can be primary to boundary condition violations
such as buffer overflows. In buffer overflows, it can act as an expander for
assumed-immutable data.Overlaps missing input terminator.
| Related CWE | Type | View | Chain |
|---|
| CWE-170 ChildOf CWE-890 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following code, readlink() expands the name of a symbolic
link stored in the buffer path so that the buffer filename contains the
absolute path of the file referenced by the symbolic link. The length of the
resulting value is then calculated using strlen().
- The following code reads from cfgfile and copies the input into
inputbuf using strcpy(). The code mistakenly assumes that inputbuf will
always contain a NULL terminator.
- While the following example is not exploitable, it provides a good
example of how nulls can be omitted or misplaced, even when "safe" functions
are used:
Observed Examples
- CVE-2000-0312 : Attacker does not null-terminate argv[] when invoking another program.
- CVE-2003-0777 : Interrupted step causes resultant lack of null termination.
- CVE-2004-1072 : Fault causes resultant lack of null termination, leading to buffer expansion.
- CVE-2001-1389 : Multiple vulnerabilities related to improper null termination.
- CVE-2003-0143 : Product does not null terminate a message buffer after snprintf-like call, leading to overflow.
For more examples, refer to CVE relations in the bottom box.
White Box DefinitionsA weakness where the code path has:1. end statement that passes a data item to a null-terminated string
function2. start statement that produces the improper null-terminated data
itemWhere "produces" is defined through the following scenarios:1. data item never ended with null-terminator2. null-terminator is re-written
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Improper Null Termination | |
| 7 Pernicious Kingdoms | | String Termination Error | |
| CLASP | | Miscalculated null termination | |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE_More_Specific |
| CERT C Secure Coding | POS30-C | Use the readlink() function properly | |
| CERT C Secure Coding | STR03-C | Do not inadvertently truncate a null-terminated byte
string | |
| CERT C Secure Coding | STR32-C | Null-terminate byte strings as required | |
| CERT C++ Secure Coding | STR03-CPP | Do not inadvertently truncate a null-terminated character
array | |
| CERT C++ Secure Coding | STR32-CPP | Null-terminate character arrays as required | |
References:None
