|
|
| Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1) | View the CAPEC List |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Individual CAPEC Dictionary Definition (Release 1.1)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Forced Integer Overflow | |||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Attack Pattern ID | Pattern Abstraction: Standard 92 | ||||||||||||||||||||||||||||
| Typical Severity | High | ||||||||||||||||||||||||||||
| Description | Summary This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code. Attack Execution Flow
| ||||||||||||||||||||||||||||
| Attack Prerequisites | The attacker can manipulate the value of an integer variable utilized by the target host. The target host does not do proper range checkingon the variable before utilizing it. When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number) | ||||||||||||||||||||||||||||
| Typical Likelihood of Exploit | High | ||||||||||||||||||||||||||||
| Methods of Attack |
| ||||||||||||||||||||||||||||
| Examples-Instances | Description Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. Related Vulnerability CVE-2007-1544 Description The following code illustrates an integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer. From "Secure Coding in C and C++" by Robert C. Seacord. Page 152, Figure 5-1 | ||||||||||||||||||||||||||||
| Attacker Skill or Knowledge Required | Low : An attacker can simply overflow an integer by inserting an out of range value. High : Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level. | ||||||||||||||||||||||||||||
| Probing Techniques | Vulnerability testing tool can be used to probe for integer overflow (e.g. fuzzer). | ||||||||||||||||||||||||||||
| Solutions and Mitigations | Use a language or compiler that performs automatic bounds checking. Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow. Use an abstraction library to abstract away risky APIs. Not a complete solution. Always do bound checking before consuming user input data. | ||||||||||||||||||||||||||||
| Attack Motivation- |
| ||||||||||||||||||||||||||||
| Context Description | An integer overflow condition exists when an integer, which has not been properly sanity checked is used in the determination of an offset or size for memory allocation, copying, concatenation, or similarly. If the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value. | ||||||||||||||||||||||||||||
| Injection Vector | The user supplied data. | ||||||||||||||||||||||||||||
| Payload | The integer overrun by the attacker. | ||||||||||||||||||||||||||||
| Activation Zone | When the function use the integer as offset, the offset may be out of the expected range which may lead to unexpected behavior such as issues of availability. | ||||||||||||||||||||||||||||
| Payload Activation Impact | The most common are issues of availability. In some situation, an integer oveflow can turn out to be an exploitable buffer overflow, then the attacker may be able to run arbitrary code on the target host. | ||||||||||||||||||||||||||||
| Related Weaknesses |
| ||||||||||||||||||||||||||||
| Related Security Principles |
| ||||||||||||||||||||||||||||
| Purpose | Exploitation | ||||||||||||||||||||||||||||
| CIA Impact |
| ||||||||||||||||||||||||||||
| Technical Context |
| ||||||||||||||||||||||||||||
| References | J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, 2002. CWE – Integer overflow (wrap or wraparound) Integer overflow, Secure Software - http://www.owasp.org/index. SAMATE : samate.nist.gov | ||||||||||||||||||||||||||||
| Source |
| ||||||||||||||||||||||||||||
|
|
|