English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CAPEC-47

Buffer Overflow via Parameter Expansion
MEDIUM
HIGH
Draft
2014-06-23 00:00 +00:00
2022-02-22 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Informations

Execution Flow

1) Explore

[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

2) Experiment

[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

Technique
  • In this attack, the normal method of providing large user input does not work. The program performs bounds checking on the user input, but not the expanded user input. The adversary needs to provide input that they believe will be expanded by the program to overflow a buffer. To identify where this is possible, an adversary either needs to have knowledge of the inner workings of the program or use a disassembler and other reverse engineering tools to guide the search.

3) Experiment

[Craft overflow content] The adversary crafts the input to be given to the program. If the intent is to simply cause the software to crash, the input needs only to expand to an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft input that expands in a way that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

Technique
  • Create specific files and directories on the system and then give input using path traversal shortcuts to those directories that could expand past an input buffer.

4) Exploit

[Overflow the buffer] Using the injection vector, the adversary gives the crafted input to the program, overflowing the buffer.

Prerequisites

The program expands one of the parameters passed to a function with input controlled by the user, but a later function making use of the expanded parameter erroneously considers the original, not the expanded size of the parameter.
The expanded parameter is used in the context where buffer overflow may become possible due to the incorrect understanding of the parameter size (i.e. thinking that it is smaller than it really is).

Skills Required

Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the adversary needs to write the shell code to accomplish their goals, but the adversary also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled adversary.

Resources Required

Access to the program source or binary. If the program is only available in binary then a disassembler and other reverse engineering tools will be helpful.

Mitigations

Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system

Related Weaknesses

CWE-ID Weakness Name
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.
CWE-130 Improper Handling of Length Parameter Inconsistency
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
CWE-131 Incorrect Calculation of Buffer Size
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-680 Integer Overflow to Buffer Overflow
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
CWE-697 Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

References

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00 Updated Attack_Phases
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Attack_Phases
CAPEC Content Team The MITRE Corporation 2017-01-09 +00:00 Updated Attack_Phases
CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Attack_Phases
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Attack_Phases
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attack_Phases
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Example_Instances, Skills_Required
CAPEC Content Team The MITRE Corporation 2021-10-21 +00:00 Updated Description, Execution_Flow
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Example_Instances, Skills_Required

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.