Failure to Handle Unicode Encoding |
| Weakness ID: 176 (Weakness Variant) | Status: Draft |
DescriptionDescription Summary
Time of Introduction- Implementation
Applicable PlatformsLanguages
All
Demonstrative ExamplesExample 1
Windows provides the MultiByteToWideChar(), WideCharToMultiByte(), UnicodeToBytes(), and BytesToUnicode() functions to convert between arbitrary multibyte (usually ANSI) character strings and Unicode (wide character) strings. The size arguments to these functions are specified in different units, (one in bytes, the other in characters) making their use prone to error.
In a multibyte character string, each character occupies a varying number of bytes, and therefore the size of such strings is most easily specified as a total number of bytes. In Unicode, however, characters are always a fixed size, and string lengths are typically given by the number of characters they contain. Mistakenly specifying the wrong units in a size argument can lead to a buffer overflow.
The following function takes a username specified as a multibyte string and a pointer to a structure for user information and populates the structure with information about the specified user. Since Windows authentication uses Unicode for usernames, the username argument is first converted from a multibyte string to a Unicode string.
This function incorrectly passes the size of unicodeUser in bytes instead of characters. The call to MultiByteToWideChar() can therefore write up to (UNLEN+1)*sizeof(WCHAR) wide characters, or (UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) bytes, to the unicodeUser array, which has only (UNLEN+1)*sizeof(WCHAR) bytes allocated.
If the username string contains more than UNLEN characters, the call to MultiByteToWideChar() will overflow the buffer unicodeUser.
Observed Examples| Reference | Description |
|---|---|
| CVE-2000-0884 | |
| CVE-2001-0709 | |
| CVE-2001-0669 | Overlaps interaction error. |
Potential MitigationsAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. |
Phase: Architecture and Design Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. |
Use and specify a strong output encoding (such as ISO 8859-1 or UTF 8). |
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. |
Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. |
Relationships| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf |  Weakness Class | 172 | Encoding Error | Development Concepts (primary)699 Research Concepts (primary)1000 |
| ChildOf |  Category | 747 | CERT C Secure Coding Section 49 - Miscellaneous (MSC) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
Taxonomy Mappings| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Unicode Encoding | ||
| CERT C Secure Coding | MSC10-C | Character Encoding - UTF8 Related Issues |
Related Attack Patterns| CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
|---|---|---|
| 71 | Using Unicode Encoding to Bypass Validation Logic |
Content History| Submissions | ||||
|---|---|---|---|---|
| Submission Date | Submitter | Organization | Source | |
| PLOVER | Externally Mined | |||
| Modifications | ||||
| Modification Date | Modifier | Organization | Source | |
| 2008-07-01 | Eric Dalci | Cigital | External | |
| updated Potential Mitigations, Time of Introduction | ||||
| 2008-09-08 | CWE Content Team | MITRE | Internal | |
| updated Relationships, Taxonomy Mappings | ||||
| 2008-11-24 | CWE Content Team | MITRE | Internal | |
| updated Relationships, Taxonomy Mappings | ||||
| 2009-03-10 | CWE Content Team | MITRE | Internal | |
| updated Demonstrative Examples | ||||
| 2009-05-27 | CWE Content Team | MITRE | Internal | |
| updated Demonstrative Examples | ||||
| 2009-07-27 | CWE Content Team | MITRE | Internal | |
| updated Potential Mitigations | ||||
| Previous Entry Names | ||||
| Change Date | Previous Entry Name | |||
| 2008-04-11 | Unicode Encoding | |||
