| Name |
Forced Integer Overflow |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code. |
| Prerequisites |
The attacker can manipulate the value of an integer variable utilized by the target host. The target host does not do proper range checking on the variable before utilizing it. When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number) |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
The first step is exploratory meaning the attacker looks for an integer variable that they can control. |
|
| 2 |
Experiment |
The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range. |
|
| 3 |
Exploit |
The integer variable is forced to have a value out of range which set its final value to an unexpected value. |
|
| 4 |
Exploit |
The target host acts on the data and unexpected behavior may happen. |
|
|
| Solutions | Use a language or compiler that performs automatic bounds checking. Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow. Use an abstraction library to abstract away risky APIs. Not a complete solution. Always do bound checking before consuming user input data. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-122 |
Heap-based Buffer Overflow |
| CWE-128 |
Wrap-around Error |
| CWE-190 |
Integer Overflow or Wraparound |
| CWE-196 |
Unsigned to Signed Conversion Error |
| CWE-680 |
Integer Overflow to Buffer Overflow |
| CWE-697 |
Incorrect Comparison |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-128 |
An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats. |
|
| Taxonomy: WASC |
|
Entry ID
|
Entry Name
|
| 03 |
Integer Overflows |
|