Home > CAPEC List > CAPEC-92: Forced Integer Overflow (Version 2.9)  

CAPEC-92: Forced Integer Overflow

 
Forced Integer Overflow
Definition in a New Window Definition in a New Window
Attack Pattern ID: 92
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

+ Attack Execution Flow
Explore
  1. The first step is exploratory meaning the attacker looks for an integer variable that he can control.

Experiment
  1. The attacker finds an integer variable that he can write into or manipulate and try to get the value of the integer out of the possible range.

Exploit
  1. The integer variable is forced to have a value out of range which set its final value to an unexpected value.

  2. The target host acts on the data and unexpected behavior may happen.

+ Attack Prerequisites
  • The attacker can manipulate the value of an integer variable utilized by the target host.

  • The target host does not do proper range checking on the variable before utilizing it.

  • When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
  • Injection
  • API Abuse
  • Analysis
+ Examples-Instances

Description

Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value.

Related Vulnerabilities

Description

The following code illustrates an integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer.

include <stdlib.h>
include <string.h>
include <stdio.h>

int main (int argc, char *const *argv)
{
if (argc !=3){
printf("Usage: prog_name <string1> <string2>\n");
exit(-1);
}
unsigned short int total;
total = strlen(argv[1])+strlen(argv[2])+1;
char * buff = (char *)malloc(total);
strcpy(buff, argv[1]);
strcpy(buff, argv[2]);
}

[R.92.4], [R.92.5]

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow an integer by inserting an out of range value.

Skill or Knowledge Level: High

Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Probing Techniques

Vulnerability testing tool can be used to probe for integer overflow (e.g. fuzzer).

+ Solutions and Mitigations

Use a language or compiler that performs automatic bounds checking.

Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Always do bound checking before consuming user input data.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Availability
DoS: crash / exit / restart
+ Injection Vector

The user supplied data.

+ Payload

The integer overrun by the attacker.

+ Activation Zone

When the function use the integer as offset, the offset may be out of the expected range which may lead to unexpected behavior such as issues of availability.

+ Payload Activation Impact

The most common are issues of availability. In some situation, an integer overflow can turn out to be an exploitable buffer overflow, then the attacker may be able to run arbitrary code on the target host.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: LowIntegrity Impact: MediumAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.92.1] [REF-29] J. Viega and G. McGraw. "Building Secure Software". Addison-Wesley. 2002.
[R.92.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-190 - Integer overflow (wrap or wraparound). Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/190.html>.
[R.92.3] [REF-5] "The OWASP Application Security Desk Reference". Integer overflow. The Open Web Application Security Project (OWASP). 2009. <http://www.owasp.org/index.php/Integer_overflow>.
[R.92.4] [REF-41] Robert C. Seacord. "SAMATE - Software Assurance Metrics And Tool Evaluation". Test Case ID 1511. National Institute of Standards and Technology (NIST). 2006-05-22. <http://samate.nist.gov/SRD/view_testcase.php?tID=1511>.
[R.92.5] Robert C. Seacord. "Secure Coding in C and C++". Page 152, Figure 5-1.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015