String Termination Error

From OWASP
Revision as of 06:32, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/olharder/automatic-watch.html bauman auto group ] [http://s1.shard.jp/frhorton/gmhd9lgd6.html east southern africa management institute ] [http://s1.shard.jp/galeach/new170.html asianeuro ] african elephant masks [http://s1.shard.jp/losaul/australian-momentum.html real estate agents commission rates australia ] [http://s1.shard.jp/olharder/auto-title-services.html automobile chrysler dealer ] [http://s1.shard.jp/galeach/new197.html paper japanese fan asian ] [http://s1.shard.jp/bireba/notron-antivirus.html antivirus for worms ] [http://s1.shard.jp/galeach/new126.html barrino fantasia lyric song ] [http://s1.shard.jp/galeach/new113.html asian francisco massage review san ] [http://s1.shard.jp/losaul/nlp-training.html tickertek australia ] [http://s1.shard.jp/olharder/automobile-get.html automotive clip art ] [http://s1.shard.jp/bireba/symantec-antivirus.html norton antivirus software download free ] [http://s1.shard.jp/losaul/australian-walkabout.html laundry sinks australia ] [http://s1.shard.jp/olharder/best-way-auto-care.html mike priestner automotive group ] [http://s1.shard.jp/losaul/murrays-buses.html cabcorp australia ] [http://s1.shard.jp/losaul/australia-airfare.html pos system restaurant australia ] [http://s1.shard.jp/losaul/ash-australia.html job in australian ] [http://s1.shard.jp/olharder/bournes-auto.html auto ding door protection ] [http://s1.shard.jp/olharder/morrey-auto-group.html portable auto gps ] removing auto paint scratches australia bus conversion home in motor [http://s1.shard.jp/bireba/norton-antivirus.html deinstalling norton antivirus ] [http://s1.shard.jp/galeach/new7.html asian figurine ] [http://s1.shard.jp/olharder/auto-bap.html oklahoma auto dealers license ] [http://s1.shard.jp/bireba/clam-win-antivirus.html network enterprise antivirus solutions reviews ] political map of eurasia african american in louisiana history [http://s1.shard.jp/olharder/luggage-rack-automobile.html autologous cell transplantation ] [http://s1.shard.jp/galeach/new95.html japanese install files for east asian languages ] [http://s1.shard.jp/losaul/australian-citizenship.html health promotion journal australia ] [http://s1.shard.jp/olharder/auto-bank-repossessed.html auto budget hire reading ] [http://s1.shard.jp/bireba/update-norton.html linux workstation antivirus ] [http://s1.shard.jp/frhorton/a1q69qdt7.html africa dealer porsche south ] asian body builders [http://s1.shard.jp/bireba/mcafee-free-antivirus.html manually uninstall symantec antivirus corporate 9 ] site [http://s1.shard.jp/frhorton/41nbv47ei.html sophia stewart african writer matrix ] [http://s1.shard.jp/galeach/new140.html asian literature ] [http://s1.shard.jp/frhorton/hpi2k8yhb.html africa animal wild ] [http://s1.shard.jp/olharder/xp-autoplay-disable.html bmw automobiles in state of washington ] [http://s1.shard.jp/frhorton/q5ck3w5jf.html south african magazines ] [http://s1.shard.jp/frhorton/vjlche4gq.html africa colonialism effects in ] [http://s1.shard.jp/frhorton/fejuk5z5f.html history of southern africa ] [http://s1.shard.jp/bireba/avg-antivirus-73.html avg antivirus 6.0 ] [http://s1.shard.jp/olharder/arabian-automobiles.html automatic gas shutoff valves ] [http://s1.shard.jp/bireba/norton-antivirus.html avg antivirus definition download ] [http://s1.shard.jp/bireba/antivirus-free-download.html download pc cillin antivirus ] http://www.textlialco.com This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents

Description

Relying on proper string termination may result in a buffer overflow.

String termination errors occur when:

  • Data enters a program via a function that does not null terminate its output.
  • The data is passed to a function that requires its input to be null terminated.


Risk Factors

TBD

Examples

Example 1

The following code reads from cfgfile and copies the input into inputbuf using strcpy(). The code mistakenly assumes that inputbuf will always contain a NULL terminator.

	#define MAXLEN 1024
	...
	char *pathbuf[MAXLEN];
	...
	read(cfgfile,inputbuf,MAXLEN); //does not null terminate
	strcpy(pathbuf,input_buf); //requires null terminated input
	...

The code in Example 1 will behave correctly if the data read from cfgfile is null terminated on disk as expected. But if an attacker is able to modify this input so that it does not contain the expected NULL character, the call to strcpy() will continue copying from memory until it encounters an arbitrary NULL character. This will likely overflow the destination buffer and, if the attacker can control the contents of memory immediately following inputbuf, can leave the application susceptible to a buffer overflow attack.

Example 2

In the following code, readlink() expands the name of a symbolic link stored in the buffer path so that the buffer filename contains the absolute path of the file referenced by the symbolic link. The length of the resulting value is then calculated using strlen().

	...
	char buf[MAXPATH];
	...
	readlink(path, buf, MAXPATH);
	int length = strlen(filename);
	...

The code in Example 2 will not behave correctly because the value read into buf by readlink() will not be null terminated. In testing, vulnerabilities like this one might not be caught because the unused contents of buf and the memory immediately following it may be NULL, thereby causing strlen() to appear as if it is behaving correctly. However, in the wild, strlen() will continue traversing memory until it encounters an arbitrary NULL character on the stack, which results in a value of length that is much larger than the size of buf and may cause a buffer overflow in subsequent uses of this value.

Traditionally, strings are represented as a region of memory containing data terminated with a NULL character. Older string-handling methods frequently rely on this NULL character to determine the length of the string. If a buffer that does not contain a NULL terminator is passed to one of these functions, the function will read past the end of the buffer.

Malicious users typically exploit this type of vulnerability by injecting data with unexpected size or content into the application. They may provide the malicious input either directly as input to the program or indirectly by modifying application resources, such as configuration files. In the event that an attacker causes the application to read beyond the bounds of a buffer, the attacker may be able use a resulting buffer overflow to inject and execute arbitrary code on the system.


Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD