| Name |
Overflow Variables and Tags |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow. |
| Prerequisites |
The target program consumes user-controllable data in the form of tags or variables. The target program does not perform sufficient boundary checking. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Experiment |
The attacker modifies a tag or variable from a formatted configuration data. For instance they change it to an oversized string. |
|
| 2 |
Exploit |
The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow. |
|
|
| Solutions | Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Use OS-level preventative functionality. Not a complete solution. Do not trust input data from user. Validate all user input. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-118 |
Incorrect Access of Indexable Resource ('Range Error') |
| CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-680 |
Integer Overflow to Buffer Overflow |
| CWE-697 |
Incorrect Comparison |
| CWE-733 |
Compiler Optimization Removal or Modification of Security-critical Code |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-8 |
This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process. |
| CAPEC-10 |
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. |
| CAPEC-100 |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
|