Difference between revisions of "Buffer underwrite"

From OWASP
Jump to: navigation, search
(Related problems)
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
{{Template:Vulnerability}}
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
 +
<br>
  
==Overview==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 +
 +
==Description==
 
A buffer underwrite condition occurs when a buffer is indexed with a negative number, or pointer arithmetic with a negative value results in a position before the beginning of the valid memory location.
 
A buffer underwrite condition occurs when a buffer is indexed with a negative number, or pointer arithmetic with a negative value results in a position before the beginning of the valid memory location.
  
==Consequences ==
+
'''Consequences'''
  
 
* Availability: Buffer underwrites will very likely result in the corruption of relevant memory, and perhaps instructions, leading to a crash.
 
* Availability: Buffer underwrites will very likely result in the corruption of relevant memory, and perhaps instructions, leading to a crash.
 
+
* Access Control (memory and instruction processing): If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, ones made in violation of a policy, whether explicit or implicit.
* Access Control (memory and instruction processing): If the memory corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the memory corrupted is data rather than instructions, the system will continue to function with improper changes, ones made in violation of a policy, whether explicit or implicit.
+
 
+
 
* Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.  
 
* Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.  
  
==Exposure period ==
+
'''Exposure period'''
  
 
* Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
 
* Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
 
 
* Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.
 
* Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.
  
==Platform ==
+
'''Platform'''
  
 
* Languages: C, C++, Assembly
 
* Languages: C, C++, Assembly
 
 
* Operating Platforms: All
 
* Operating Platforms: All
  
==Required resources ==
+
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
High
 
High
  
==Likelihood of exploit ==
+
'''Likelihood of exploit'''
  
 
Medium
 
Medium
  
==Avoidance and mitigation ==
+
==Risk Factors==
 
+
TBD
* Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
+
 
+
* Implementation: Sanity checks should be performed on all calculated values used as index or for pointer arithmetic.
+
  
 
==Examples ==
 
==Examples ==
Line 57: Line 55:
 
If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition.
 
If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition.
  
==Related problems ==
+
==Related [[Attacks]]==
  
* [[Buffer Overflow]] (and related issues)
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
* [[Integer Overflow]]
+
==Related [[Vulnerabilities]]==
  
* [[Signed-to-unsigned Conversion Error]]
+
* [[Buffer Overflow]] (and related issues)
 +
* [[Integer overflow]]
 +
* [[Signed to unsigned conversion error]]
 +
* [[Unchecked array indexing]]
  
* [[Unchecked Array Indexing]]
+
==Related [[Controls]]==
  
 +
* [[Control 1]]
 +
* [[Control 2]]
 +
* Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
 +
* Implementation: Sanity checks should be performed on all calculated values used as index or for pointer arithmetic.
  
[[Category:Vulnerability]]
+
==Related [[Technical Impacts]]==
  
[[Category:Range and Type Errors]]
+
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
  
[[Category:OWASP_CLASP_Project]]
 
  
 +
 +
[[Category:Vulnerability]]
 +
[[Category:Range and Type Error Vulnerability]]
 +
[[Category:OWASP_CLASP_Project]]
 
[[Category:Implementation]]
 
[[Category:Implementation]]
 +
[[Category:Code Snippet]]
 +
[[Category:C]]
 +
[[Category:OWASP ASDR Project]]

Latest revision as of 19:14, 20 February 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 02/20/2009

Vulnerabilities Table of Contents

Description

A buffer underwrite condition occurs when a buffer is indexed with a negative number, or pointer arithmetic with a negative value results in a position before the beginning of the valid memory location.

Consequences

  • Availability: Buffer underwrites will very likely result in the corruption of relevant memory, and perhaps instructions, leading to a crash.
  • Access Control (memory and instruction processing): If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, ones made in violation of a policy, whether explicit or implicit.
  • Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

Exposure period

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.

Platform

  • Languages: C, C++, Assembly
  • Operating Platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Medium

Risk Factors

TBD

Examples

The following is an example of code that may result in a buffer underwrite, should find() returns a negative value to indicate that ch is not found in srcBuf:

int main() {
  ...  
  strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);
  ...
}

If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition.

Related Attacks

Related Vulnerabilities

Related Controls

  • Control 1
  • Control 2
  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Implementation: Sanity checks should be performed on all calculated values used as index or for pointer arithmetic.

Related Technical Impacts