Missing parameter

From OWASP
Revision as of 17:44, 13 April 2006 by Jeff Williams (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Overview

If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.

Consequences

  • Authorization: There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.
  • Availability: Potentially a program could fail if it needs more arguments then are available.

Exposure period

  • Implementation: This is a simple logical flaw created at implementation time.

Platform

  • Languages: C or C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

High

Avoidance and mitigation

  • Implementation: Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.

Discussion

This issue can be simply combated with the use of proper build process.

Examples

In C or C++:

foo_funct(one, two); � void foo_funct(int one, int two, int three) {

 printf("1) %d\n2) %d\n3) %d\n", one, two, three);

} This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it.

Another example in C/C++ is:

void some_function(int foo, ...) {

   int a[3], i;
   va_list ap;
   va_start(ap, foo);

for (i = 0; i < sizeof(a) / sizeof(int); i++)

       a[i] = va_arg(ap, int);
   va_end(ap);

}

int main(int argc, char *argv[]) {

   some_function(17, 42);

}

Related problems

Not available.

Categories