CWE-626
Null Byte Interaction Error (Poison Null Byte)
Draft
2007-05-07
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Null Byte Interaction Error (Poison Null Byte)
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
CWE Description
A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected.
The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.
General Informations
Modes Of Introduction
ImplementationApplicable Platforms
Language
Name: PHP (Undetermined)Name: Perl (Undetermined)
Name: ASP.NET (Undetermined)
Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Integrity | Unexpected State |
Observed Examples
| References | Description |
|---|---|
CVE-2005-4155 | NUL byte bypasses PHP regular expression check |
CVE-2005-3153 | inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection |
Potential Mitigations
Phases : ImplementationRemove null bytes from all incoming strings.
Vulnerability Mapping Notes
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
NotesNotes
Current usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.
References
REF-514
Poison NULL byteRain Forest Puppy.
https://insecure.org/news/P55-07.txt
REF-515
0x00 vs ASP file upload scriptsBrett Moore.
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf
REF-516
ShAnKaR: multiple PHP application poison NULL byte vulnerabilityShAnKaR.
https://seclists.org/fulldisclosure/2006/Sep/185
Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 6 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Description, Other_Notes, Research_Gaps, Terminology_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.