Overflow Variables and Tags |
Attack Pattern ID: 46 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
Attack Execution Flow
The attacker modifies a tag or variable from a formatted configuration data. For instance she changes it to an oversized string.
The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow.
The target program consumes user-controllable data in the form of tags or variables.
The target program does not perform sufficient boundary checking.
Description
A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.
Related Vulnerabilities
CVE-1999-0946
Description
A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file.
Related Vulnerabilities
CVE-1999-0971
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
Skill or Knowledge Level: High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
An attacker can modify the variables and tag exposed by the target program.
An attacker can automate the probing by input injection with script or automated tools.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Do not trust input data from user. Validate all user input.
- Denial of Service
- Run Arbitrary Code
- Information Leakage
- Data Modification
When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Targeted |
118 | Improper Access of Indexable Resource ('Range Error') | Targeted |
119 | Failure to Constrain Operations within the Bounds of a Memory Buffer | Targeted |
74 | Failure to Sanitize Data into a Different Plane ('Injection') | Targeted |
20 | Improper Input Validation | Targeted |
680 | Integer Overflow to Buffer Overflow | Targeted |
733 | Compiler Optimization Removal or Modification of Security-critical Code | Secondary |
697 | Insufficient Comparison | Targeted |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to![]() |
---|---|---|---|---|---|
PeerOf | ![]() | 8 | Buffer Overflow in an API Call | Mechanism of Attack1000 | |
PeerOf | ![]() | 10 | Buffer Overflow via Environment Variables | Mechanism of Attack1000 | |
ChildOf | ![]() | 100 | Overflow Buffers | Mechanism of Attack (primary)1000 |
CWE - Buffer Errors
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-03-01 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Eric Dalci | Cigital, Inc | 2007-02-13 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | ||
Sean Barnum | Cigital, Inc | 2007-03-05 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Related Attack Patterns | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |