Off-by-one Error [CWE-193] — The Hacktivists

Off-by-one error occurs when a program uses an improper maximum or minimum value that is one more or one less than the proper value.

Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring

1. Description
………………………………

An off-by-one condition is a logic error in size calculation when working with strings and arrays. It usually produces a boundary condition, which may lead to memory corruption.

Off-by-one errors are often a result of incorrect null-termination of string sequence, which usually starts at zero rather than one. This scenario typically arises when software performs loop iteration a number of times that is greater or less than expected.

When an off-by-one condition occurs, the program is able to read or write beyond the bounds of allocated memory, which can result in data corruption, application crash, or even lead to code execution.

The following example in C language uses a loop to read characters from an array:

#include <stdio.h>
#define MAX_CHARS 19
int main ()
{
        int x;
        int ite_loop = 0;
        char filename[MAX_CHARS] = "My mother loves me.";
        printf("Length of filename array: %d\n",strlen(filename));
        for (x = 0; x <= MAX_CHARS; x++) {
                printf("%c",filename[x]);
                ite_loop += 1;
        }
        printf("\nIterations: %d\n",ite_loop);
        return 0;
}

However, the exit loop condition “x <= MAX_CHARS” is incorrectly defined; therefore, the loop reads one byte beyond the bounds of the array. Consider the following example:

#include <stdio.h>
#define MAX_CHAR   19
#define MAX_VALUE  30
int main ()
{
        int x;
        int ite_loop = 0;
        char filename[MAX_CHAR] = "My mother loves me.";
        printf("Length of filename array: %d\n",strlen(filename));
        for (x = 0; x <= MAX_VALUE; x++) {
                printf("%c",filename[x]);
                ite_loop += 1;
        }
        printf("\nIterations: %d\n",ite_loop);
        return 0;
}

In the previous code, the programmer has specified the wrong define directive variable in order to read the filename array. This mistake forces the code to read a few bytes beyond the bounds of the filename array; consequently, it prints random data to memory:

An off-by-one error can also be introduced by improper usage of certain library functions. The following example uses the strncat function that always null-terminated its output string:

strcpy(buf, "buffer:");
strncat(buf, input, sizeof(buf)-strlen(buf));

The improper usage of the strncat function (third argument) produces an off-by-one condition, which depending on the application architecture, may lead to code execution.

2. Potential impact
………………………………

Off-by-one error leads to unpredictable behaviour of the application, depending on the nature of the vulnerability, and in most cases results in application crash or infinite loop. This weakness can also lead to buffer overflow and memory corruption. In cases of a heap-based buffer overflow, the most obvious result is the application crash. If an off-by-one error leads to a stack-based buffer overflow, successful code execution is more likely.

3. Attack patterns
………………………………

Software written in languages such as C and C++ that do not perform memory management is potentially vulnerable to this weakness.

4. Affected software
………………………………

Developers should pay extra attention to correct size parameter accounting for null terminator when copying character arrays or performing manipulations on arrays.

5. Severity and CVSS Scoring
……………………………………..

Off-by-one errors can be used to cause an application crash, data tampering or execution of arbitrary code. Depending on the software and vulnerable code, these weaknesses could be locally or remotely exploitable.

A common CVSSv3 score for locally exploitable vulnerability in the application would look like this:
3.3 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L] — Low severity.

In cases of remote code execution, it is usually scored as:
10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] — High severity.

Credits: https://www.immuniweb.com/