CAPEC-92: Forced Integer Overflow

Detailed Draft 严重程度: High 攻击可能性: High

CAPEC版本: 3.9

更新日期: 2023-01-24

攻击模式描述

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

执行流程

步骤 1 Explore

The first step is exploratory meaning the attacker looks for an integer variable that they can control.

步骤 2 Experiment

The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.

步骤 3 Exploit

The integer variable is forced to have a value out of range which set its final value to an unexpected value.

步骤 4 Exploit

The target host acts on the data and unexpected behavior may happen.

前提条件

  • The attacker can manipulate the value of an integer variable utilized by the target host.
  • The target host does not do proper range checking on the variable before utilizing it.
  • When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)

所需技能

Low An attacker can simply overflow an integer by inserting an out of range value.
High Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.

后果影响

影响范围: Integrity

技术影响: Modify Data

影响范围: Confidentiality Access Control Authorization

技术影响: Gain Privileges

影响范围: Confidentiality Integrity Availability

技术影响: Execute Unauthorized Commands

说明: Run Arbitrary Code

影响范围: Confidentiality

技术影响: Read Data

影响范围: Availability

技术影响: Unreliable Execution

缓解措施

Use a language or compiler that performs automatic bounds checking.

Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Always do bound checking before consuming user input data.

示例实例

Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544

分类映射

分类名称 条目ID 条目名称
WASC 03 Integer Overflows
关键信息

CAPEC ID: CAPEC-92

抽象级别: Detailed

状态: Draft

典型严重程度: High

攻击可能性: High

相关攻击模式
ChildOf CAPEC-128

Integer Attacks

Standard
相关CWE弱点
CWE-190 CWE-128 CWE-120 CWE-122 CWE-196 CWE-680 CWE-697
返回列表