| Name |
Buffer Overflow via Environment Variables |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. |
| Prerequisites |
The application uses environment variables. An environment variable exposed to the user is vulnerable to a buffer overflow. The vulnerable environment variable uses untrusted data. Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer. |
|
| 2 |
Experiment |
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. |
- Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.
|
| 3 |
Experiment |
[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing. |
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
|
| 4 |
Exploit |
[Overflow the buffer] Using the injection vector, the adversary injects the crafted overflow content into the buffer. |
|
|
| Solutions | Do not expose environment variable to the user. Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-99 |
Improper Control of Resource Identifiers ('Resource Injection') |
| CWE-118 |
Incorrect Access of Indexable Resource ('Range Error') |
| CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-302 |
Authentication Bypass by Assumed-Immutable Data |
| CWE-680 |
Integer Overflow to Buffer Overflow |
| CWE-697 |
Incorrect Comparison |
| CWE-733 |
Compiler Optimization Removal or Modification of Security-critical Code |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-100 |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
|
| Taxonomy: OWASP Attacks |
|
Entry ID
|
Entry Name
|
| Link |
Buffer Overflow via Environment Variables |
|