Buffer Errors [CWE-119] — The Hacktivists
Buffer Errors weakness describes improper restriction of operations within the bounds of a memory buffer.
Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring
1. Description
………………………………
Buffer errors are common for software that performs operations on a memory buffer. Due to the absence or improper validation of input data, an attacker might be able to read or write data outside the intended buffer. This weakness is often referred to as memory corruption. Certain languages allow direct memory addressing and do not automatically ensure that the addressed locations are valid for a buffer that is being referenced. As a result, read and write operations might be performed on memory locations associated with another buffer, variables, data structures, etc.
In this paper, we will cover some of the related weakness’ classes:
❏ CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
This is a classic buffer overflow when the application copies an input buffer of larger size into an output buffer. As a result, a buffer overflow occurs, and data from the input buffer overwrites memory locations.
The following example demonstrates an attempt to store the entered value into a buffer with a size of 20 characters. If more data is passed to the aforementioned buffer and overflow occurs:
// Buffer Errors [CWE-119] vulnerable code example
// (c) HTB Research
#include "StdAfx.h"
#include <stdlib.h>
#include <stdio.h>
#include <string>
int main( int argc, char *argv[] )
{
char input_data[20];
printf ("Enter your data: ");
scanf ("%s", input_data);
return 0;
}❏ CWE-123: Write-what-where Condition
This weakness describes a case where an attacker can write arbitrary data to arbitrary locations in memory. As a result, it is possible to modify the EIP register and redirect execution flow to arbitrary code stored in memory:
// Buffer Errors [CWE-119] vulnerable code example
// (c) HTB Research
#include "StdAfx.h"
#include <stdlib.h>
#include <stdio.h>
#include <string>
#define BUFSIZE 256
int main( int argc, char *argv[] )
{
char *buffer1 = (char *) malloc(BUFSIZE);
char *buffer2 = (char *) malloc(BUFSIZE);
strcpy(buffer1, argv[1]);
free(buffer2);
}The above example allocates two buffers with the size of 256 each and copies user input into buffer1. Since buffer2 is allocated after buffer1 and there is no input validation performed on buffer1, the input data passed to buffer1 can overwrite accounting information that the system keeps for buffer2, e.g. its contents and allocation header as well after the strcpy() call.
The allocation header usually keeps a linked list of memory chunks. In our case, there is a “previous” chunk (buffer1) and a “next” chunk (probably 0). When the free() call occurs, most memory allocation will rewrite the linked list using data from buffer2.
This way the attacker is able to insert a memory address for the “next” chunk and the value to write into that memory address into the “previous” chunk.
The function pointer gets overwritten with memory address under the attacker’s control which might result in arbitrary code execution.
❏ CWE-125: Out-of-bounds Read
This weakness describes a case where a pointer or its index is used to access data beyond the bounds of the intended buffer, resulting in access to potentially sensitive information, application crash or code execution. The following example in C briefly demonstrates the weakness:
// Buffer Errors [CWE-119] vulnerable code example
// (c) HTB Research
int getValueFromArray(int *array, int len, int index) {
int value;
if (index < len)
{
value = array[index];
}
else
{
printf("Value is: %d\n", array[index]);
value = -1;
}
return value;
}The value of “index” is supposed to be lower than the value of “len”, this allows however a negative value to be passed as an array index. The error in code results in out of the bound read and potentially allows access to sensitive information stored in memory.
❏ CWE-130: Improper Handling of Length Parameter Inconsistency
This weakness describes a situation when the length of attacker-controlled input is inconsistent with the length of the associated data. As a result, an attacker might be able to pass a large input to an application that results in buffer errors.
For more information, see: https://www.immuniweb.com/vulnerability/improper-handling-of-length-parameter-inconsistency.html
❏ CWE-786: Access of Memory Location Before Start of Buffer
This issue describes a case where software reads or writes to a buffer using an index or a pointer that references a memory location prior to the beginning of the buffer. This error typically occurs, when a pointer or its index is decremented to a position that precedes the buffer, or when the negative index is used.
The following code uses the supplied number to output the corresponding element from an array. The error is triggered when a negative value is passed as an array index:
// Buffer Errors [CWE-119] vulnerable code example
// (c) HTB Research
#include "StdAfx.h"
#include <stdlib.h>
#include <stdio.h>
#include <string>
int main (int argc, char **argv) {
char *items[] = {"item1", "item2", "item3", "item4"};
if (argc!=2)
{
printf("You did not supply index\n");
return 1;
}
int index = atoi(argv[1]);
printf("You selected %s\n", items[index-1]);
return 0;
}2. Potential impact
………………………………
An attacker who controls the user input can read or write to arbitrary memory locations. As a result, it is possible to obtain potentially sensitive information from memory. It could also cause memory corruption and crash the application or even execute arbitrary code on the target system.
3. Attack patterns
………………………………
An attacker might use the following attack patterns to exploit this weakness:
❏ CAPEC-8: Buffer Overflow in an API Call
❏ CAPEC-9: Buffer Overflow in Local Command-Line Utilities
❏ CAPEC-10: Buffer Overflow via Environment Variables
❏ CAPEC-14: Client-side Injection-induced Buffer Overflow
❏ CAPEC-24: Filter Failure through Buffer Overflow
❏ CAPEC-42: MIME Conversion
❏ CAPEC-44: Overflow Binary Resource File
❏ CAPEC-45: Buffer Overflow via Symbolic Links
❏ CAPEC-46: Overflow Variables and Tags
❏ CAPEC-47: Buffer Overflow via Parameter Expansion
❏ CAPEC-100: Overflow Buffers
Buffer overflow vulnerability is described as a common attack type under WASC-7 in WASC Threat Classification.
4. Affected software
………………………………
Software written in languages such as C and C++ that do not perform memory management is potentially vulnerable to this weakness. The core of PHP is written in C. As a result, PHP built-in functions have been susceptible to buffer error vulnerabilities.
5. Severity and CVSS Scoring
……………………………………..
Buffer overflows can result in information disclosure, application or system crash or even execution of arbitrary code. When scoring this weakness, researchers should consider the maximum possible impact from the vulnerability.
❏ Information disclosure
If there is a possibility to disclose certain parts of memory, the weakness should be scored as C:L/I:N/A:N.
In the case of a remote attack against a client application, the CVSS score is as follows:
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] — Medium Severity.
❏ Denial of service
If the vulnerability is present in software and exploitation of buffer overflow results in an application crash, it should be scored as C:N/I:N/A:H.
But if the vulnerability could be used to crash or reboot the entire system, it should be scored as S:C as well.
The following example can be used to score remotely exploitable vulnerability in a network service, which runs with SYSTEM privileges:
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H] — High Severity.
❏ Code execution
If there is a possibility of code execution, the CVSS score should be C:H/I:H/A:H.
For a remote attack vector, we recommend the usage of the following CVSS metrics:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] — Critical Severity.
Credits: https://www.immuniweb.com/
