CAPEC-52 - Embedding NULL Bytes

An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).






  • Attack Methods 3
  • Injection
  • Modification of Resources
  • API Abuse
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 1
  • Reluctance to Trust
  • Scopes 4
  • Modify application data
  • Integrity
  • Read memory
  • Confidentiality
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality

Medium level: Directory traversal

High level: Execution of arbitrary code

The program does not properly handle postfix NULL terminators

Step 1 -

Identify a place in the program where user input may be used to escalate privileges by for instance accessing unauthorized file system resources through directory browsing..

Step 2 -

An attacker realizes that there is a postfix data that gets in the way of getting to the desired resources.

Step 1 -

An attacker then ads a postfix NULL terminator to the supplied input in order to "swallow" the postfixed data when the insertion is taking place. With the postfix data that got in the way of the attack gone, the doors are opened for accessing the desired resources..

Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.