CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | |
| | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
Definition in a New Window 
|
| Compound Element ID: 120 (Compound Element Base: Composite) | | Status: Incomplete |
 Description
Description Summary The program copies an input buffer to an output buffer without
verifying that the size of the input buffer is less than the size of the output
buffer, leading to a buffer overflow.
Extended Description
A buffer overflow condition exists when a program attempts to put more
data in a buffer than it can hold, or when a program attempts to put data in
a memory area outside of the boundaries of a buffer. The simplest type of
error, and the most common cause of buffer overflows, is the "classic" case
in which the program copies the buffer without checking its length at all.
Other variants exist, but the existence of a classic overflow strongly
suggests that the programmer is not considering even the most basic of
security protections.
Alternate Terms
| buffer overrun: | Some prominent vendors and researchers use the term "buffer overrun,"
but most people use "buffer overflow." |
|---|
| Unbounded Transfer | |
|---|
Terminology Notes
|
Many issues that are now called "buffer overflows" are substantively
different than the "classic" overflow, including entirely different bug
types that rely on overflow exploit techniques, such as integer signedness
errors, integer overflows, and format string bugs. This imprecise
terminology can make it difficult to determine which variant is being
reported.
|
Time of Introduction
- Architecture and Design
- Implementation
Common Consequences | Scope | Effect |
|---|
Availability | Buffer overflows generally lead to crashes. Other attacks leading to
lack of availability are possible, including putting the program into an
infinite loop. |
Integrity | Buffer overflows often can be used to execute arbitrary code, which is
usually outside the scope of a program's implicit security
policy. |
Integrity | When the consequence is arbitrary code execution, this can often be
used to subvert any other security service. |
Likelihood of Exploit Observed Examples | Reference | Description |
|---|
| CVE-2000-1094 | buffer overflow using command with long
argument |
| CVE-1999-0046 | buffer overflow in local program using long
environment variable |
| CVE-2002-1337 | buffer overflow in comment characters, when
product increments a counter for a ">" but does not decrement for
"<" |
| CVE-2003-0595 | By replacing a valid cookie value with an
extremely long string of characters, an attacker may overflow the
application's buffers. |
| CVE-2001-0191 | By replacing a valid cookie value with an
extremely long string of characters, an attacker may overflow the
application's buffers. |
Potential Mitigations | Phase | Description |
|---|
Architecture and Design | Use an abstraction library to abstract away risky APIs. Examples
include the Safe C String Library (SafeStr) by Viega, and the Strsafe.h
library from Microsoft. This is not a complete solution, since many
buffer overflows are not related to strings. |
Architecture and Design | Use the <strsafe.h> library. This library has buffer
overflow safe functions that will help with the detection of buffer
overflows. |
Build and Compilation | Use automatic buffer overflow detection mechanisms that are offered by
certain compilers or compiler extensions. Examples include StackGuard,
ProPolice and the Microsoft Visual Studio /GS flag. This is not
necessarily a complete solution, since these canary-based mechanisms
only detect certain types of overflows. In addition, the result is still
a denial of service, since the typical response is to exit the
application. |
Implementation | Programmers should adhere to the following rules when allocating and
managing their applications memory: Double check that your buffer is as
large as you specify. When using functions that accept a number of bytes
to copy, such as strncpy(), be aware that if the destination buffer size
is equal to the source buffer size, it may not NULL-terminate the
string. Check buffer boundaries if calling this function in a loop and
make sure you are not in danger of writing past the allocated space.
Truncate all input strings to a reasonable length before passing them to
the copy and concatenation functions |
Operation | Use a feature like Address Space Layout Randomization (ASLR). This is
not a complete solution. However, it forces the attacker to guess an
unknown value that changes every program execution. |
Operation | Use a CPU and operating system that offers Data Execution Protection
(NX) or its equivalent. This is not a complete solution, since buffer
overflows could be used to overwrite nearby variables to modify the
software's state in dangerous ways. |
Build and Compilation Operation | Most mitigating technologies at the compiler or OS level to date
address only a subset of buffer overflow problems and rarely provide
complete protection against even that subset. It is good practice to
implement strategies to increase the workload of an attacker, such as
leaving the attacker to guess an unknown value that changes every
program execution. |
Weakness Ordinalities | Ordinality | Description |
|---|
Resultant | (where the
weakness is typically related to the presence of some other
weaknesses) |
Primary | (where the
weakness exists independent of other weaknesses) |
Relationships Relationship Notes
|
At the code level, stack-based and heap-based overflows do not differ
significantly, so there usually is not a need to distinguish them. From the
attacker perspective, they can be quite different, since different
techniques are required to exploit them.
|
Affected Resources Functional Areas Causal Nature Taxonomy Mappings | Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|
| PLOVER | | | Unbounded Transfer ('classic overflow') |
| 7 Pernicious Kingdoms | | | Buffer Overflow |
| CLASP | | | Buffer overflow |
| OWASP Top Ten 2004 | A1 | CWE More Specific | Unvalidated Input |
| OWASP Top Ten 2004 | A5 | CWE More Specific | Buffer Overflows |
| CERT C Secure Coding | STR35-C | | Do not copy data from an unbounded source to a fixed-length
array |
White Box Definitions
|
A weakness where the code path includes a Buffer Write Operation such
that:
1. the expected size of the buffer is greater than the actual size of
the buffer where expected size is equal to the sum of the size of the
data item and the position in the buffer
Where Buffer Write Operation is a statement that writes a data item of a
certain size into a buffer at a certain position and at a certain
index
|
References Content History | Submissions |
|---|
| Submission Date | Submitter | Organization | Source |
|---|
| PLOVER | | Externally Mined | | | Modifications |
|---|
| Modification Date | Modifier | Organization | Source |
|---|
| 2008-07-01 | Eric Dalci | Cigital | External | | updated Time of Introduction | | 2008-08-01 | | KDM Analytics | External | | added/updated white box definitions | | 2008-08-15 | | Veracode | External | | Suggested OWASP Top Ten 2004
mapping | | 2008-09-08 | CWE Content Team | MITRE | Internal | | updated Alternate Terms, Applicable Platforms,
Common Consequences, Relationships, Observed Example, Other Notes,
Taxonomy Mappings, Weakness Ordinalities | | 2008-10-10 | CWE Content Team | MITRE | Internal | | Changed name and description to more clearly emphasize the
"classic" nature of the overflow. | | 2008-10-14 | CWE Content Team | MITRE | Internal | | updated Alternate Terms, Description, Name, Other Notes,
Terminology Notes | | 2008-11-24 | CWE Content Team | MITRE | Internal | | updated Other Notes, Relationships,
Taxonomy Mappings | | 2009-01-12 | CWE Content Team | MITRE | Internal | | updated Common Consequences, Other Notes,
Potential Mitigations, References, Relationship Notes,
Relationships | | 2009-07-27 | CWE Content Team | MITRE | Internal | | updated Other Notes, Potential Mitigations,
Relationships | | 2009-10-29 | CWE Content Team | MITRE | Internal | | updated Common Consequences,
Relationships |
|
