This attack forces an integer variable to go out of range. The integer
variable is often used as an offset such as size of memory allocation or
similarly. The attacker would typically control the value of such variable
and try to get it out of range. For instance the integer in question is
incremented past the maximum possible value, it may wrap to become a very
small, or negative number, therefore providing a very incorrect value which
can lead to unexpected behavior. At worst the attacker can execute arbitrary
code.
Attack Execution Flow
The first step is exploratory meaning the attacker
looks for an integer variable that he can
control.
The attacker finds an integer variable that he can
write into or manipulate and try to get the value of
the integer out of the possible range. The integer
variable is forced to have a value out of range
which set its final value to an unexpected
value.
The target host acts on the data and unexpected
behaviour may happen.
Attack Prerequisites
The attacker can manipulate the value of an integer variable utilized by
the target host.
The target host does not do proper range checkingon the variable before
utilizing it.
When the integer variable is incremented or decremented to an out of range
value, it gets a very different value (e.g. very small or negative
number)
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Modification of Resources
Injection
API Abuse
Analysis
Examples-Instances
Description
Integer overflow in the ProcAuWriteElement function in
server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN
237 allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via a large max_samples value.
Related Vulnerabilities
CVE-2007-1544
Description
The following code illustrates an integer overflow. The declaration of
total integer as "unsigned short int" assumes that the length of the
first and second arguments fits in such an integer. From "Secure Coding
in C and C++" by Robert C. Seacord. Page 152, Figure 5-1
An attacker can simply overflow an integer by inserting an out of
range value.
High : Exploiting a buffer overflow by injecting malicious code into
the stack of a software system or even the heap can require a higher
skill level.
Probing Techniques
Vulnerability testing tool can be used to probe for integer overflow (e.g.
fuzzer).
Solutions and Mitigations
Use a language or compiler that performs automatic bounds checking.
Carefully review the service's implementation before making it available
to user. For instance you can use manual or automated code review to uncover
vulnerabilities such as integer overflow.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Always do bound checking before consuming user input data.
Attack Motivation-Consequences
Data Modification
Privilege Escalation
Run Arbitrary Code
Information Leakage
Denial of Service
Injection Vector
The user supplied data.
Payload
The integer overrun by the attacker.
Activation Zone
When the function use the integer as offset, the offset may be out of the
expected range which may lead to unexpected behavior such as issues of
availability.
Payload Activation Impact
The most common are issues of availability. In some situation, an integer
oveflow can turn out to be an exploitable buffer overflow, then the attacker may
be able to run arbitrary code on the target host.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
