Common Attack Pattern Enumeration and Classification
A Community of Knowledge Resource for Building Secure Software
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Attack Execution Flow
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
Skill or Knowledge Level: High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
While interacting with a system an attacker would typically investigate for environment variables that can be overwritten. The more a user knows about a system the more likely she will find a vulnerable environment variable.
On a web environment, the attacker can read the client side code and search for environment variables that can be overwritten.
There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that supports loading a shared library. Attackers can use such tools to uncover a buffer overflow in an environment variable.
If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.
Do not expose environment variable to the user.
Do not use untrusted data in your environment variables.
Use a language or compiler that performs automatic bounds checking
There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.
When the subroutine which uses the environment variable returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
[R.10.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.10.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.