CWE Reference
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Official CWE-119 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Release 4.20weaknessStable
Glexia's Take
CWE-119: Buffer Overflow
Improper Restriction of Operations within the Bounds of a Memory Buffer represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Integrity,Confidentiality,Availability: Execute Unauthorized Code or Commands,Modify Memory: If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can alter the intended control flow by redirecting a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator.
- Availability,Confidentiality: Read Memory,DoS: Crash, Exit, or Restart,DoS: Resource Consumption (CPU),DoS: Resource Consumption (Memory): Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
- Confidentiality: Read Memory: In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffer's position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
Developer Pattern
CWE-119 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-119, 4.20.
Official CWE Definition
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker.,Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476).
- This example applies an encoding procedure to an input string and stores it into a buffer. The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.
- The following example asks a user for an offset into an array to select an item. The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126).
- In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.
- Windows provides the _mbs family of functions to perform various operations on multibyte strings. When these functions are passed a malformed multibyte string, such as a string containing a valid leading byte followed by a single null byte, they can read or write past the end of the string buffer causing a buffer overflow. The following functions all pose a risk of buffer overflow: _mbsinc _mbsdec _mbsncat _mbsncpy _mbsnextc _mbsnset _mbsrev _mbsset _mbsstr _mbstok _mbccpy _mbslen
Remediation
- Requirements: [object Object]
- Architecture and Design: [object Object]
- Operation,Build and Compilation: [object Object]
- Implementation: [object Object]
- Operation: [object Object]
- Implementation: Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
Detection
- Automated Static Analysis: [object Object]
- Automated Dynamic Analysis: This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
- Automated Dynamic Analysis: Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
- Automated Static Analysis - Binary or Bytecode: [object Object]
- Manual Static Analysis - Binary or Bytecode: [object Object]
- Dynamic Analysis with Automated Results Interpretation: [object Object]
- Dynamic Analysis with Manual Results Interpretation: [object Object]
- Manual Static Analysis - Source Code: [object Object]
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-118: Incorrect Access of Indexable Resource ('Range Error')
- CWE-20: Improper Input Validation
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-123: Write-what-where Condition
- CWE-125: Out-of-bounds Read
- CWE-125: Out-of-bounds Read
- CWE-125: Out-of-bounds Read
- CWE-125: Out-of-bounds Read
- CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions
- CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
- CWE-128: Wrap-around Error
- CWE-129: Improper Validation of Array Index
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.