[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78764

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Buffer Access with Incorrect Length Value

ID: 805Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

Extended Description

When the length value exceeds the size of the destination, a buffer overflow could occur.

Likelihood of Exploit: Medium to High

Applicable Platforms
Language: C
Language: Often
Language: C++
Language: Often
Language: Assembly

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Confidentiality
Availability
 
Execute unauthorized code or commands
 
Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.
 
Availability
 
DoS: crash / exit / restart
DoS: resource consumption (CPU)
 
Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
 

Detection Methods

NameDescriptionEffectivenessNotes
Automated Static Analysis
 
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.
 
High
 
 
Automated Dynamic Analysis
 
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
 
Moderate
 
 
Manual Analysis
 
Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
 
  

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Requirements
 
Language Selection
 
Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
 
  
Architecture and Design
 
Libraries or Frameworks
 
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Examples include the Safe C String Library (SafeStr) by Messier and Viega [R.805.6], and the Strsafe.h library from Microsoft [R.805.7]. These libraries provide safer versions of overflow-prone string-handling functions.
 
 This is not a complete solution, since many buffer overflows are not related to strings.
 
Build and Compilation
 
Compilation or Build Hardening
 
Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows.
For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.
 
Defense in Depth
 
This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
 
Implementation
 
 Consider adhering to the following rules when allocating and managing an application's memory:

 
  
Architecture and Design
 
 For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
 
  
Operation
 
Environment Hardening
 
Use a feature like Address Space Layout Randomization (ASLR) [R.805.2] [R.805.4].
 
Defense in Depth
 
This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
 
Operation
 
Environment Hardening
 
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [R.805.3] [R.805.6].
 
Defense in Depth
 
This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.
 
Architecture and Design
Operation
 
Environment Hardening
 
Run your code using the lowest privileges that are required to accomplish the necessary tasks [R.805.9]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
 
  
Architecture and Design
Operation
 
Sandbox or Jail
 
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
 
Limited
 
The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
 

Relationships

Related CWETypeViewChain
CWE-805 ChildOf CWE-740 Category CWE-734  

Demonstrative Examples   (Details)

  1. In the following example, the source character string is copied to the dest character string using the method strncpy.
  2. In this example, the method outputFilenameToLog outputs a filename to a log file. The method arguments include a pointer to a character string containing the file name and an integer for the number of characters in the string. The filename is copied to a buffer where the buffer size is set to a maximum size for inputs to the log file. The method then calls another method to save the contents of the buffer to the log file.
  3. This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. (Demonstrative Example Id DX-1)

Observed Examples

  1. CVE-2011-1959 : Chain: large length value causes buffer over-read (CWE-126)
  2. CVE-2011-1848 : Use of packet length field to make a calculation, then copy into a fixed-size buffer
  3. CVE-2011-0105 : Chain: retrieval of length value from an uninitialized memory location
  4. CVE-2011-0606 : Crafted length value in document reader leads to buffer overflow
  5. CVE-2011-0651 : SSL server overflow when the sum of multiple length fields exceeds a given value
  6. CVE-2010-4156 : Language interpreter API function doesn't validate length argument, leading to information exposure

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
CERT C++ Secure Coding ARR33-CPP
 
Guarantee that copies are made into storage of sufficient size
 
 
CERT C Secure Coding ARR33-C
 
Guarantee that copies are made into storage of sufficient size
 
 

References:

  1. M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 6, "Why ACLs Are Important" Page 171'. Published on 2002.
  2. Michael Howard .Address Space Layout Randomization in Windows Vista.
  3. Arjan van de Ven .Limiting buffer overflows with ExecShield.
  4. .PaX.
  5. Jason Lam .Top 25 Series - Rank 12 - Buffer Access with Incorrect Length Value. SANS Software Security Institute. 2010-03-11.
  6. Matt Messier John Viega .Safe C String Library v1.0.3.
  7. Microsoft .Using the Strsafe.h Functions.
  8. Microsoft .Understanding DEP as a mitigation technology part 1.
  9. Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.

© 2013 SecPod Technologies