Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
Weakness ID: 120 (Weakness Base) | Status: Incomplete |
Description Summary
Extended Description
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without checking its length at all. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.
buffer overrun: | Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." |
---|---|
Unbounded Transfer |
Many issues that are now called "buffer overflows" are substantively different than the "classic" overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported. |
Scope | Effect |
---|---|
Integrity | Technical Impact: Execute unauthorized code or commands Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. |
Availability | Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. |
Automated Static Analysis This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. Effectiveness: High Detection techniques for buffer-related errors are more mature than for most other weakness types. |
Automated Dynamic Analysis This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. |
Manual Analysis Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. |
Example 1
The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.
The problem with the code above is that it does not check the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.
Example 2
The following code attempts to create a local copy of a buffer to perform some manipulations to the data.
However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and blindly copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.
Example 3
The excerpt below calls the gets() function in C, which is inherently unsafe.
However, the programmer uses the function gets() which is inherently unsafe because it blindly copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.
Reference | Description |
---|---|
CVE-2000-1094 | buffer overflow using command with long argument |
CVE-1999-0046 | buffer overflow in local program using long environment variable |
CVE-2002-1337 | buffer overflow in comment characters, when product increments a counter for a ">" but does not decrement for "<" |
CVE-2003-0595 | By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. |
CVE-2001-0191 | By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. |
Phase: Requirements Strategy: Language Selection Use a language with features that can automatically mitigate or eliminate buffer overflows. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. |
Phase: Architecture and Design Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega, and the Strsafe.h library from Microsoft. These libraries provide safer versions of overflow-prone string-handling functions. This is not a complete solution, since many buffer overflows are not related to strings. |
Phase: Build and Compilation Run or compile your software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, a buffer overflow attack can still cause a denial of service, since the typical response is to exit the application. |
Phase: Implementation Programmers should adhere to the following rules when allocating and managing their applications memory:
|
Phase: Operation Use a feature like Address Space Layout Randomization (ASLR). This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. |
Phase: Operation Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent. This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. |
Phases: Build and Compilation; Operation Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution. |
Phase: Implementation Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Effectiveness: Moderate This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). |
Ordinality | Description |
---|---|
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 20 | Improper Input Validation | Seven Pernicious Kingdoms (primary)700 |
ChildOf | Weakness Class | 119 | Failure to Constrain Operations within the Bounds of a Memory Buffer | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 633 | Weaknesses that Affect Memory | Resource-specific Weaknesses (primary)631 |
ChildOf | Category | 722 | OWASP Top Ten 2004 Category A1 - Unvalidated Input | Weaknesses in OWASP Top Ten (2004)711 |
ChildOf | Category | 726 | OWASP Top Ten 2004 Category A5 - Buffer Overflows | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | Category | 741 | CERT C Secure Coding Section 07 - Characters and Strings (STR) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
ChildOf | Category | 802 | 2010 Top 25 - Risky Resource Management | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 |
CanPrecede | Weakness Base | 123 | Write-what-where Condition | Research Concepts1000 |
ParentOf | Weakness Variant | 785 | Use of Path Manipulation Function without Maximum-sized Buffer | Development Concepts (primary)699 Research Concepts1000 |
CanFollow | Weakness Base | 170 | Improper Null Termination | Research Concepts1000 |
CanFollow | Weakness Base | 231 | Improper Handling of Extra Values | Research Concepts1000 |
CanFollow | Weakness Base | 242 | Use of Inherently Dangerous Function | Research Concepts1000 |
CanFollow | Weakness Base | 242 | Use of Inherently Dangerous Function | Research Concepts1000 |
CanFollow | Weakness Base | 416 | Use After Free | Research Concepts1000 |
CanFollow | Weakness Base | 456 | Missing Initialization | Research Concepts1000 |
PeerOf | Weakness Base | 124 | Buffer Underwrite ('Buffer Underflow') | Research Concepts1000 |
CanAlsoBe | Weakness Variant | 196 | Unsigned to Signed Conversion Error | Research Concepts1000 |
At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Unbounded Transfer ('classic overflow') | ||
7 Pernicious Kingdoms | Buffer Overflow | ||
CLASP | Buffer overflow | ||
OWASP Top Ten 2004 | A1 | CWE More Specific | Unvalidated Input |
OWASP Top Ten 2004 | A5 | CWE More Specific | Buffer Overflows |
CERT C Secure Coding | STR35-C | Do not copy data from an unbounded source to a fixed-length array | |
WASC | 7 | Buffer Overflow |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
8 | Buffer Overflow in an API Call | |
9 | Buffer Overflow in Local Command-Line Utilities | |
10 | Buffer Overflow via Environment Variables | |
14 | Client-side Injection-induced Buffer Overflow | |
24 | Filter Failure through Buffer Overflow | |
92 | Forced Integer Overflow | |
42 | MIME Conversion | |
45 | Buffer Overflow via Symbolic Links | |
100 | Overflow Buffers | |
46 | Overflow Variables and Tags | |
47 | Buffer Overflow via Parameter Expansion | |
67 | String Format Overflow in syslog() | |
123 | Buffer Attacks |
A weakness where the code path includes a Buffer Write Operation such that: 1. the expected size of the buffer is greater than the actual size of the buffer where expected size is equal to the sum of the size of the data item and the position in the buffer Where Buffer Write Operation is a statement that writes a data item of a certain size into a buffer at a certain position and at a certain index |
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 5, "Public Enemy #1: The Buffer Overrun" Page 127. 2nd Edition. Microsoft. 2002. |
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 5: Buffer Overruns." Page 89. McGraw-Hill. 2010. |
Microsoft. "Using the Strsafe.h Functions". <http://msdn.microsoft.com/en-us/library/ms647466.aspx>. |
Matt Messier and John Viega. "Safe C String Library v1.0.3". <http://www.zork.org/safestr/>. |
Michael Howard. "Address Space Layout Randomization in Windows Vista". <http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx>. |
Arjan van de Ven. "Limiting buffer overflows with ExecShield". <http://www.redhat.com/magazine/009jul05/features/execshield/>. |
"PaX". <http://en.wikipedia.org/wiki/PaX>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-08-01 | KDM Analytics | External | ||
added/updated white box definitions | ||||
2008-08-15 | Veracode | External | ||
Suggested OWASP Top Ten 2004 mapping | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Applicable Platforms, Common Consequences, Relationships, Observed Example, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-10-10 | CWE Content Team | MITRE | Internal | |
Changed name and description to more clearly emphasize the "classic" nature of the overflow. | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Description, Name, Other Notes, Terminology Notes | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Other Notes, Relationships, Taxonomy Mappings | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Other Notes, Potential Mitigations, References, Relationship Notes, Relationships | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Other Notes, Potential Mitigations, Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-10-14 | Unbounded Transfer ('Classic Buffer Overflow') | |||