CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-626: Null Byte Interaction Error (Poison Null Byte)

 
Null Byte Interaction Error (Poison Null Byte)
Weakness ID: 626 (Weakness Variant)Status: Draft
+ Description

Description Summary

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

Extended Description

A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

PHP

Perl

ASP.NET

+ Common Consequences
ScopeEffect
Integrity

Technical Impact: Unexpected state

+ Observed Examples
ReferenceDescription
CVE-2005-4155NUL byte bypasses PHP regular expression check
CVE-2005-3153inserting SQL after a NUL byte bypasses whitelist regexp, enabling SQL injection
+ Potential Mitigations

Phase: Implementation

Remove null bytes from all incoming strings.

+ Other Notes

The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

There are not many CVE examples, because the poison NULL byte is

  1. a design limitation, which typically is not included in CVE by itself; and

  2. it is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.

Current (2007) usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness Base436Interpretation Conflict
Development Concepts699
Research Concepts1000
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
+ References
Rain Forest Puppy. "Poison NULL byte". Phrack 55. <http://insecure.org/news/P55-07.txt>.
Brett Moore. "0x00 vs ASP file upload scripts". <http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf>.
ShAnKaR. "ShAnKaR: multiple PHP application poison NULL byte vulnerability". <http://seclists.org/fulldisclosure/2006/Sep/0185.html>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities
2011-03-29CWE Content TeamMITREInternal
updated Other_Notes
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
Page Last Updated: February 18, 2014