Dark Mode
Capec-92 Detail
Forced Integer Overflow
Detailed Software Likelihood: High Typical Severity: High
Parents: 128
Threats: T62 T290 T291
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-92 | capec | https://capec.mitre.org/data/definitions/92.html | |
| CWE-190 | cwe | http://cwe.mitre.org/data/definitions/190.html | |
| CWE-128 | cwe | http://cwe.mitre.org/data/definitions/128.html | |
| CWE-120 | cwe | http://cwe.mitre.org/data/definitions/120.html | |
| CWE-122 | cwe | http://cwe.mitre.org/data/definitions/122.html | |
| CWE-196 | cwe | http://cwe.mitre.org/data/definitions/196.html | |
| CWE-680 | cwe | http://cwe.mitre.org/data/definitions/680.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| 03 | WASC | http://projects.webappsec.org/Integer-Overflows | Integer Overflows |
| REF-131 | reference_from_CAPEC | J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley | |
| REF-547 | reference_from_CAPEC | http://samate.nist.gov/SRD/view_testcase.php?tID=1511 | Robert C. Seacord, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--05---22, National Institute of Standards and Technology (NIST) |
| REF-548 | reference_from_CAPEC | Robert C. Seacord, Secure Coding in C and C++ |
Explore
-
The first step is exploratory meaning the attacker looks for an integer variable that they can control.
Experiment
-
The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.
Exploit
-
The integer variable is forced to have a value out of range which set its final value to an unexpected value.
-
The target host acts on the data and unexpected behavior may happen.
- The attacker can manipulate the value of an integer variable utilized by the target host.
- The target host does not do proper range checking on the variable before utilizing it.
- When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)
Not present
| Low | High |
|---|---|
| An attacker can simply overflow an integer by inserting an out of range value. | |
| Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level. |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Modify Data | Execute Unauthorized Commands (Run Arbitrary Code) | Gain Privileges | Gain Privileges | Gain Privileges |
| Execute Unauthorized Commands (Run Arbitrary Code) | Unreliable Execution | Execute Unauthorized Commands (Run Arbitrary Code) | ||
| Read Data |
- Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544
- The following code illustrates an integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer [REF-547], [REF-548]. include include include int main (int argc, char const argv){if (argc !=3){printf("Usage: prog_name \n");exit(-1); }unsigned short int total;total = strlen(argv[1])+strlen(argv[2])+1;char buff = (char )malloc(total);strcpy(buff, argv[1]);strcpy(buff, argv[2]); }