CAPEC - CAPEC-46: Overflow Variables and Tags (Release 1.4)

Home > CAPEC List > CAPEC-46: Overflow Variables and Tags (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-46: Overflow Variables and Tags

Overflow Variables and Tags

Attack Pattern ID: 46 (Detailed Attack Pattern Completeness: Complete)

Typical Severity: High

Status: Draft

Description

Summary

This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.

Attack Execution Flow

The attacker modifies a tag or variable from a formatted configuration data. For instance she changes it to an oversized string.
The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow.

Attack Prerequisites

The target program consumes user-controllable data in the form of tags or variables.

The target program does not perform sufficient boundary checking.

Typical Likelihood of Exploit

Likelihood: High

Methods of Attack

Injection

Examples-Instances

Description

A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.

Related Vulnerabilities

CVE-1999-0946

Description

A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file.

Related Vulnerabilities

CVE-1999-0971

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Probing Techniques

An attacker can modify the variables and tag exposed by the target program.

An attacker can automate the probing by input injection with script or automated tools.

Solutions and Mitigations

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Do not trust input data from user. Validate all user input.

Attack Motivation-Consequences

Denial of Service
Run Arbitrary Code
Information Leakage
Data Modification

Injection Vector

The variable or tag exposed to the user.

Payload

The new value of the variable or tag (could be an oversized string).

Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

Payload Activation Impact

The most common is remote code execution.

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	Targeted
118	Improper Access of Indexable Resource (aka 'Range Error')	Targeted
119	Failure to Constrain Operations within the Bounds of a Memory Buffer	Targeted
74	Failure to Sanitize Data into a Different Plane (aka 'Injection')	Targeted
20	Improper Input Validation	Targeted
680	Integer Overflow to Buffer Overflow	Targeted
733	Compiler Optimization Removal or Modification of Security-critical Code	Secondary
697	Insufficient Comparison	Targeted

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Attack Pattern	100	Overflow Buffers	Mechanism of Attack1000
ChildOf	Attack Pattern	100	Overflow Buffers	Mechanism of Attack (primary)1000
PeerOf	Attack Pattern	8	Buffer Overflow in an API Call	Mechanism of Attack1000
PeerOf	Attack Pattern	10	Buffer Overflow via Environment Variables	Mechanism of Attack1000

Purposes

Penetration
Exploitation

CIA Impact

Confidentiality Impact: High

Integrity Impact: High

Availability Impact: High

Technical Context

Architectural Paradigms	All
Frameworks	All
Platforms	All
Languages	All C C++

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

CWE - Buffer Errors

Content History

Submissions
Submitter	Organization	Date
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.	Cigital, Inc	2007-03-01

Modifications
Modifier	Organization	Date	Comments
Eric Dalci	Cigital, Inc	2007-02-13	Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean Barnum	Cigital, Inc	2007-03-05	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Related Attack Patterns
Sean Barnum	Cigital, Inc	2007-04-13	Modified pattern content according to review and feedback

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us