Buffer Access with Incorrect Length Value| ID: 805 | Date: (C)2012-05-14 (M)2022-10-10 | | Type: weakness | Status: INCOMPLETE | | Abstraction Type: Base |
Description The software uses a sequential operation to read or write a
buffer, but it uses an incorrect length value that causes it to access memory
that is outside of the bounds of the buffer. Extended DescriptionWhen the length value exceeds the size of the destination, a buffer
overflow could occur. Likelihood of Exploit: Medium to High Applicable PlatformsLanguage: CLanguage: OftenLanguage: C++Language: OftenLanguage: Assembly Time Of Introduction Related Attack Patterns Common Consequences | Scope | Technical Impact | Notes |
|---|
| IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | Buffer overflows often can be used to execute arbitrary code, which is
usually outside the scope of a program's implicit security policy. This
can often be used to subvert any other security service. | | Availability | DoS: crash / exit /
restartDoS: resource consumption
(CPU) | Buffer overflows generally lead to crashes. Other attacks leading to
lack of availability are possible, including putting the program into an
infinite loop. |
Detection Methods | Name | Description | Effectiveness | Notes |
|---|
| Automated Static Analysis | This weakness can often be detected using automated static analysis
tools. Many modern tools use data flow analysis or constraint-based
techniques to minimize the number of false positives.Automated static analysis generally does not account for environmental
considerations when reporting out-of-bounds memory operations. This can
make it difficult for users to determine which warnings should be
investigated first. For example, an analysis tool might report buffer
overflows that originate from command line arguments in a program that
is not expected to run with setuid or other special privileges. | High | | | Automated Dynamic Analysis | This weakness can be detected using dynamic tools and techniques that
interact with the software using large test suites with many diverse
inputs, such as fuzz testing (fuzzing), robustness testing, and fault
injection. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results. | Moderate | | | Manual Analysis | Manual analysis can be useful for finding this weakness, but it might
not achieve desired code coverage within limited time constraints. This
becomes difficult for weaknesses that must be considered for all inputs,
since the attack surface can be too large. | | |
Potential Mitigations | Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Requirements | Language Selection | Use a language that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.For example, many languages that perform their own memory management,
such as Java and Perl, are not subject to buffer overflows. Other
languages, such as Ada and C#, typically provide overflow protection,
but the protection can be disabled by the programmer.Be wary that a language's interface to native code may still be
subject to overflows, even if the language itself is theoretically safe. | | | | Architecture and Design | Libraries or Frameworks | Use a vetted library or framework that does not allow this weakness to
occur or provides constructs that make this weakness easier to
avoid.Examples include the Safe C String Library (SafeStr) by Messier and
Viega [R.805.6], and the Strsafe.h library from Microsoft [R.805.7].
These libraries provide safer versions of overflow-prone string-handling
functions. | | This is not a complete solution, since many buffer overflows are not
related to strings. | | Build and Compilation | Compilation or Build Hardening | Run or compile the software using features or extensions that
automatically provide a protection mechanism that mitigates or
eliminates buffer overflows.For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code.
Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat
FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. | Defense in Depth | This is not necessarily a complete solution, since these mechanisms
can only detect certain types of overflows. In addition, an attack could
still cause a denial of service, since the typical response is to exit
the application. | | Implementation | | Consider adhering to the following rules when allocating and managing
an application's memory: | | | | Architecture and Design | | For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server. | | | | Operation | Environment Hardening | Use a feature like Address Space Layout Randomization (ASLR) [R.805.2]
[R.805.4]. | Defense in Depth | This is not a complete solution. However, it forces the attacker to
guess an unknown value that changes every program execution. In
addition, an attack could still cause a denial of service, since the
typical response is to exit the application. | | Operation | Environment Hardening | Use a CPU and operating system that offers Data Execution Protection
(NX) or its equivalent [R.805.3] [R.805.6]. | Defense in Depth | This is not a complete solution, since buffer overflows could be used
to overwrite nearby variables to modify the software's state in
dangerous ways. In addition, it cannot be used in cases in which
self-modifying code is required. Finally, an attack could still cause a
denial of service, since the typical response is to exit the
application. | | Architecture and DesignOperation | Environment Hardening | Run your code using the lowest privileges that are required to
accomplish the necessary tasks [R.805.9]. If possible, create isolated
accounts with limited privileges that are only used for a single task.
That way, a successful attack will not immediately give the attacker
access to the rest of the software or its environment. For example,
database applications rarely need to run as the database administrator,
especially in day-to-day operations. | | | | Architecture and DesignOperation | Sandbox or Jail | Run the code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system. This may
effectively restrict which files can be accessed in a particular
directory or which commands can be executed by the software.OS-level examples include the Unix chroot jail, AppArmor, and SELinux.
In general, managed code may provide some protection. For example,
java.io.FilePermission in the Java SecurityManager allows the software
to specify restrictions on file operations.This may not be a feasible solution, and it only limits the impact to
the operating system; the rest of the application may still be subject
to compromise.Be careful to avoid CWE-243 and other weaknesses related to jails. | Limited | The effectiveness of this mitigation depends on the prevention
capabilities of the specific sandbox or jail being used and might only
help to reduce the scope of an attack, such as restricting the attacker
to certain system calls or limiting the portion of the file system that
can be accessed. |
Relationships | Related CWE | Type | View | Chain |
|---|
| CWE-805 ChildOf CWE-740 | Category | CWE-734 | |
Demonstrative Examples (Details) - In the following example, the source character string is copied to
the dest character string using the method strncpy.
- In this example, the method outputFilenameToLog outputs a filename
to a log file. The method arguments include a pointer to a character string
containing the file name and an integer for the number of characters in the
string. The filename is copied to a buffer where the buffer size is set to a
maximum size for inputs to the log file. The method then calls another
method to save the contents of the buffer to the log file.
- This example takes an IP address from a user, verifies that it is
well formed and then looks up the hostname and copies it into a
buffer. (Demonstrative Example Id DX-1)
Observed Examples - CVE-2011-1959 : Chain: large length value causes buffer over-read (CWE-126)
- CVE-2011-1848 : Use of packet length field to make a calculation, then copy into a fixed-size buffer
- CVE-2011-0105 : Chain: retrieval of length value from an uninitialized memory location
- CVE-2011-0606 : Crafted length value in document reader leads to buffer overflow
- CVE-2011-0651 : SSL server overflow when the sum of multiple length fields exceeds a given value
- CVE-2010-4156 : Language interpreter API function doesn't validate length argument, leading to information exposure
For more examples, refer to CVE relations in the bottom box. White Box Definitions None Black Box Definitions None Taxynomy Mappings | Taxynomy | Id | Name | Fit |
|---|
| CERT C++ Secure Coding | ARR33-CPP | Guarantee that copies are made into storage of sufficient
size | | | CERT C Secure Coding | ARR33-C | Guarantee that copies are made into storage of sufficient
size | |
References: - M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 6, "Why ACLs Are Important" Page
171'. Published on 2002.
- Michael Howard .Address Space Layout Randomization in Windows
Vista.
- Arjan van de Ven .Limiting buffer overflows with ExecShield.
- .PaX.
- Jason Lam .Top 25 Series - Rank 12 - Buffer Access with Incorrect Length
Value. SANS Software Security Institute. 2010-03-11.
- Matt Messier John Viega .Safe C String Library v1.0.3.
- Microsoft .Using the Strsafe.h Functions.
- Microsoft .Understanding DEP as a mitigation technology part
1.
- Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
|
