CAPEC-92 - Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 4
  • Modification of Resources
  • Injection
  • API Abuse
  • Analysis
  • Purposes 1
  • Exploitation
  • Sec Principles 1
  • Reluctance to Trust
  • Scopes 5
  • Modify application data
  • Integrity
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Read application data
  • Confidentiality
  • DoS: crash / exit / restart
  • Availability

Low level: An attacker can simply overflow an integer by inserting an out of range value.

High level: Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.

The attacker can manipulate the value of an integer variable utilized by the target host.

The target host does not do proper range checking on the variable before utilizing it.

When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)

Vulnerability testing tool can be used to probe for integer overflow (e.g. fuzzer).

Step 1 -

The first step is exploratory meaning the attacker looks for an integer variable that he can control..


Step 1 -

The attacker finds an integer variable that he can write into or manipulate and try to get the value of the integer out of the possible range..


Step 1 -

The integer variable is forced to have a value out of range which set its final value to an unexpected value..

Step 2 -

The target host acts on the data and unexpected behavior may happen..


Use a language or compiler that performs automatic bounds checking.

Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Always do bound checking before consuming user input data.