CAPEC-46 - Overflow Variables and Tags

This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.






  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 1
  • Reluctance to trust
  • Scopes 4
  • DoS: crash / exit / restart
  • Availability
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Read memory
  • Confidentiality
  • Modify memory
  • Integrity

Low level: An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

High level: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

The target program consumes user-controllable data in the form of tags or variables.

The target program does not perform sufficient boundary checking.

An attacker can modify the variables and tag exposed by the target program.

An attacker can automate the probing by input injection with script or automated tools.

Step 1 -

The attacker modifies a tag or variable from a formatted configuration data. For instance she changes it to an oversized string..

Step 1 -

The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow..

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Do not trust input data from user. Validate all user input.