CWE-123: Write-what-where Condition

What is Write-what-where Condition?

• Overview: Write-what-where Condition (CWE-123) is a vulnerability where attackers can write arbitrary data to any location in memory, often due to a buffer overflow, allowing manipulation of program behavior.

• Exploitation Methods:

• Attackers exploit this vulnerability by overflowing a buffer to overwrite pointers or control data structures.
• Common attack patterns include manipulating function pointers, return addresses, or modifying critical program data to execute arbitrary code.

• Security Impact:

• Direct consequences include unauthorized code execution or control over the software.
• Potential cascading effects involve compromising additional systems, data corruption, or denial of service.
• Business impact can range from data breaches, financial loss, to damage to reputation.

• Prevention Guidelines:

• Specific code-level fixes include bounds checking, using safe string operations, and avoiding dangerous functions like strcpy() and sprintf().
• Security best practices entail implementing input validation, using canaries, and adopting least privilege principles.
• Recommended tools and frameworks include static analysis tools, AddressSanitizer, and utilizing secure coding libraries such as Safe C/C++.

Corgea can automatically detect and fix Write-what-where Condition in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: C, C++

Affected Technologies: Not specified

Vulnerable Code Example

#include <stdio.h>
#include <string.h>

// A structure representing a node in a linked list
struct Node {
    int data;
    struct Node* next;
};

// Function that updates the data field of a node
void update_node_data(struct Node* node, int new_data) {
    // A buffer to store incoming data
    char buffer[8];
    
    // Vulnerable: Directly copying user input into a buffer without bounds checking
    strcpy(buffer, (char*)&new_data);
    
    // Updating node data from buffer
    node->data = *(int*)buffer;
}

int main() {
    struct Node node;
    node.data = 0;
    node.next = NULL;
    
    int user_data = 12345678; // Simulated user input
    update_node_data(&node, user_data);
    
    printf("Node data: %d\n", node.data);
    return 0;
}

Explanation:

• Vulnerable Line {12}: The use of strcpy to copy an integer cast to a string into a fixed-size buffer is unsafe. strcpy does not perform bounds checking, leading to a potential buffer overflow if the integer is larger than the buffer can hold.
• Vulnerable Line {15}: This line assumes the buffer will always contain valid integer data, which might not be true if the buffer overflows, leading to undefined behavior or arbitrary writes.

How to fix Write-what-where Condition?

To fix this vulnerability, ensure that buffer operations are safe and do not overflow. This can be achieved by:

1. Using safer functions like snprintf to ensure no buffer overflow occurs.
2. Validating input sizes before performing buffer operations.
3. Avoiding arbitrary type casting that may lead to unsafe memory access.

Fixed Code Example

#include <stdio.h>
#include <string.h>

// A structure representing a node in a linked list
struct Node {
    int data;
    struct Node* next;
};

// Function that safely updates the data field of a node
void update_node_data(struct Node* node, int new_data) {
    // A buffer to store incoming data
    char buffer[12]; // Ensure the buffer is large enough to hold the integer as a string
    
    // Fixed: Use snprintf to safely copy data and prevent buffer overflow
    snprintf(buffer, sizeof(buffer), "%d", new_data);
    
    // Safely converting string back to an integer
    sscanf(buffer, "%d", &node->data);
}

int main() {
    struct Node node;
    node.data = 0;
    node.next = NULL;
    
    int user_data = 12345678; // Simulated user input
    update_node_data(&node, user_data);
    
    printf("Node data: %d\n", node.data);
    return 0;
}

Explanation:

• Fixed Line {12}: snprintf is used to safely format the integer into the buffer, preventing buffer overflow by respecting the buffer size. The buffer size is increased to accommodate the string representation of a large integer.
• Fixed Line {15}: sscanf is used to safely parse the integer back from the string, ensuring proper data conversion without unsafe memory access.

By following these practices, we mitigate the risk of Write-what-where conditions and ensure our program is more robust against attacks that exploit buffer overflow vulnerabilities.