Compound Element ID
| Status: Incomplete 120 (Compound Element Base: Composite) |
| Description | Summary A buffer overflow condition exists when a program attempts to put more data in a buffer
than it can hold or when a program attempts to put data in a memory area past a buffer. In this
case, a buffer is a sequential section of memory allocated to contain anything from a character
string to an array of integers. |
| Alternate Terms | Some prominent vendors and researchers use the term "buffer overrun," but most people
use "buffer overflow." Many issues that are now called "buffer overflows" are substantively different than
the "classic" overflow, including entirely different bug types that rely on overflow exploit
techniques, such as integer signedness errors, integer overflows, and format string bugs. This
imprecise terminology can make it difficult to determine which variant is being reported. |
| Functional Area | Memory Management |
| Likelihood of Exploit | High to Very High |
| Weakness Ordinality | Resultant (Weakness is typically related to the presence of some other weaknesses) Primary (Weakness exists independent of other weaknesses) |
| Causal Nature | Explicit (This is an explicit weakness resulting from behavior of the developer) |
| Affected Resource | Memory |
| Common Consequences | Availability: Buffer overflows generally lead to crashes. Other attacks
leading to lack of availability are possible, including putting the program into an infinite
loop. Access control (instruction processing): Buffer overflows often can be used to
execute arbitrary code, which is usually outside the scope of a program's implicit security
policy. Other: When the consequence is arbitrary code execution, this can often be
used to subvert any other security service. |
| Potential Mitigations | Pre-design: Use a language or compiler that performs automatic bounds checking. Design: Use an abstraction library to abstract away risky APIs. Not a complete
solution. Design: Use the <strsafe.h> library. This library has buffer overflow
safe functions that will help with the detection of buffer overflows. Pre-design through Build: Compiler-based canary mechanisms such as StackGuard,
ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution. Implementation: Programmers should adhere to the following rules when allocating and
managing their applications memory: Double check that your buffer is as large as you specify.
When using functions that accept a number of bytes to copy, such as strncpy(), be aware that
if the destination buffer size is equal to the source buffer size, it may not NULL-terminate
the string. Check buffer boundaries if calling this function in a loop and make sure you are
not in danger of writing past the allocated space. Truncate all input strings to a reasonable
length before passing them to the copy and concatenation functions Operational: Use OS-level preventative functionality. Not a complete
solution. |
| Observed Examples | | Reference | Description |
|---|
| CVE-2000-1094 | buffer overflow using command with long argument | | CVE-1999-0046 | buffer overflow in local program using long environment variable | | CVE-2002-1337 | buffer overflow in comment characters, when product increments a counter for a
">" but does not decrement for "<" | | CVE-2003-0595 - By replacing a valid cookie value with an extremely long string of
characters, an attacker may overflow the application's buffers. | | CVE-2001-0191 - By replacing a valid cookie value with an extremely long string of
characters, an attacker may overflow the application's buffers. |
|
| Context Notes | At the programmer level, stack-based and heap-based overflows do not differ
significantly, so they are not distinguished here. Obviously, from the exploit perspective using
shellcode, they can be quite different. Buffer overflows are one of the best known types of security problem. The best solution
is enforced run-time bounds checking of array access, but many C/C++ programmers assume this is
too costly or do not have the technology available to them. Even this problem only addresses
failures in access control -- as an out-of-bounds access is still an exception condition and can
lead to an availability problem if not addressed. Some platforms are introducing mitigating
technologies at the compiler or OS level. All such technologies to date address only a subset of
buffer overflow problems and rarely provide complete protection against even that subset. It is
more common to make the workload of an attacker much higher -- for example, by leaving the
attacker to guess an unknown value that changes every program execution. |
| Relationships | |
| Source Taxonomies | PLOVER - Unbounded Transfer ('classic overflow') 7 Pernicious Kingdoms - Buffer Overflow CLASP - Buffer overflow |
| Applicable Platforms | C C++ |
| Time of Introduction | Implementation |
| Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 100 | Overflow Buffers | | 10 | Buffer Overflow via Environment Variables | | 14 | Client-side Injection-induced Buffer Overflow | | 42 | MIME Conversion | | 24 | Filter Failure through Buffer Overflow | | 8 | Buffer Overflow in an API Call | | 9 | Buffer Overflow in Local Command-Line Utilities | | 45 | Buffer Overflow via Symbolic Links | | 46 | Overflow Variables and Tags | | 47 | Buffer Overflow via Parameter Expansion | | 92 | Forced Integer Overflow | | 67 | String Format Overflow in syslog() |
|
| White Box Definition |
A weakness where the code path includes a Buffer Write Operation such that:
1. the expected size of the buffer is greater than the actual size of the buffer where expected size is equal to the sum of the size of the data item and the position in the buffer
Where Buffer Write Operation is a statement that writes a data item of a certain size into a buffer at a certain position and at a certain index
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
