Access of Memory Location After End of Buffer| ID: 788 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software reads or writes to a buffer using an index or
pointer that references a memory location after the end of the buffer.
Extended DescriptionThis typically occurs when a pointer or its index is decremented to a
position before the buffer, when pointer arithmetic results in a position
before the beginning of the valid memory location, or when a negative index
is used. These problems may be resultant from missing sentinel values
(CWE-463) or trusting a user-influenced input length variable.
Applicable PlatformsNone
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read memory | For an out-of-bounds read, the attacker may have access to sensitive
information. If the sensitive information contains system details, such
as the current buffers position in memory, this knowledge can be used to
craft further attacks, possibly with more severe consequences. |
| IntegrityAvailability | Modify memoryDoS: crash / exit /
restart | Out of bounds memory access will very likely result in the corruption
of relevant memory, and perhaps instructions, possibly leading to a
crash. Other attacks leading to lack of availability are possible,
including putting the program into an infinite loop. |
| | Modify memoryExecute unauthorized code or
commands | If the memory accessible by the attacker can be effectively
controlled, it may be possible to execute arbitrary code, as with a
standard buffer overflow. If the attacker can overwrite a pointer's
worth of memory (usually 32 or 64 bits), he can redirect a function
pointer to his own malicious code. Even when the attacker can only
modify a single byte arbitrary code execution can be possible. Sometimes
this is because the same problem can be exploited repeatedly to the same
effect. Other times it is because the attacker can overwrite
security-critical application-specific data -- such as a flag indicating
whether the user is an administrator. |
Detection MethodsNone
Potential MitigationsNone
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-788 ChildOf CWE-119 | Weakness | CWE-1000CWE-699 | |
Demonstrative Examples (Details)
- In the following C/C++ example the method processMessageFromSocket()
will get a message from a socket, placed into a buffer, and will parse the
contents of the buffer into a structure that contains the message length and
the message body. A for loop is used to copy the message body into a local
character string which will be passed to another method for
processing. (Demonstrative Example Id DX-91)
- This example applies an encoding procedure to an input string and
stores it into a buffer. (Demonstrative Example Id DX-19)
- This example takes an IP address from a user, verifies that it is
well formed and then looks up the hostname and copies it into a
buffer. (Demonstrative Example Id DX-1)
Observed Examples
- CVE-2009-2550 : Classic stack-based buffer overflow in media player using a long entry in a playlist
- CVE-2009-2403 : Heap-based buffer overflow in media player using a long entry in a playlist
- CVE-2009-0689 : large precision value in a format string triggers overflow
- CVE-2009-0558 : attacker-controlled array index leads to code execution
- CVE-2008-4113 : OS kernel trusts userland-supplied length value, allowing reading of sensitive information
- CVE-2007-4268 : Chain: integer signedness passes signed comparison, leads to heap overflow
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None
