NULL Pointer Dereference [CWE-476] — The Hacktivists
NULL Pointer Dereference weakness occurs where software dereferences a pointer with a value of NULL instead of a valid address.
Table of Content
1. Description
2. Potential impact
3. Affected software
4. Severity and CVSS Scoring
1. Description
………………………………
NULL pointer dereferences errors are common in C/C++ languages. The pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced.
The NULL pointer dereference weakness occurs where the application dereferences a pointer that is expected to be a valid address but instead is equal to NULL.
The following C++ example causes a NULL pointer to dereference error:
// NULL Pointer Dereference [CWE-476] vulnerable code example
// (c) HTB Research
#include <stdio.h>
int *ptr = NULL;
int _tmain(int argc, _TINT* argv[])
{
*ptr = 17;
return 0;
}Once executed, the application will throw an exception with code c0000005, as shown below:
The following C++ code demonstrates NULL pointer dereference error within the getaddrinfo() function when argv[2] is empty:
// NULL Pointer Dereference [CWE-476] vulnerable code example
// (c) HTB Research
#undef UNICODE
#include "StdAfx.h"
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#pragma comment (lib, "Ws2_32.lib")
int __cdecl main(int argc, char **argv)
{
WSADATA wsaData;
int iResult;
INT iRetval;
DWORD dwRetval;
int i = 1;
struct addrinfo *result = NULL;
struct addrinfo *ptr = NULL;
struct addrinfo hints;
if(argc<2){
printf("usage: %s <proto> <hostname> <servicename>\n", argv[0]);
return 1;
}
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0) {
printf("WSAStartup failed: %d\n", iResult);
return 1;
}
ZeroMemory( &hints, sizeof(hints) );
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
dwRetval = getaddrinfo(argv[2], argv[3], &hints, &result);
if ( dwRetval != 0 ) {
printf("getaddrinfo failed with error: %d\n", dwRetval);
WSACleanup();
return 1;
}
printf("getaddrinfo returned success\n");
return 0;
}The above code contains a logic error when checking against the number of input parameters in the if(argc<2) statement. As a result, NULL is passed as the first argument of the getaddrinfo() function instead of a valid address.
A number of flaws can cause NULL pointer to dereference issues, including race condition, and programming omissions as demonstrated above.
2. Potential impact
………………………………
In most cases, NULL pointer dereferences errors result in the crash of the application however, code execution is possible under certain circumstances.
Depending on the privileges of the application, this weakness can result in a denial of service attack against the entire system or can be used to gain complete control over it.
3. Attack software
………………………………
Software written in C/C++, Assembly or any other language that makes usage of pointers is potentially vulnerable to this type of weakness.
4. Severity and CVSS Scoring
……………………………………..
Since NULL pointer dereferences errors mostly result in application crash, they are usually scored with availability impact only.
A common CVSS score for locally exploitable vulnerability in client application would look like this:
2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) — Low severity.
If a high-privileged application, such as a driver or critical system service contains a NULL pointer dereference error, it should be scored with complete availability impact, since the crash of such application may render the system inaccessible: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) — Medium severity.
In cases of remote code execution, it is usually scored with medium or high access complexity metric:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) — Critical severity.
Credits: https://www.immuniweb.com/
