CWE-125: Out-of-bounds Read
Learn about CWE-125 (Out-of-bounds Read), its security impact, exploitation methods, and prevention guidelines.
What is Out-of-bounds Read?
• Overview: Out-of-bounds Read occurs when a program reads data from outside the boundaries of a buffer, either before the start or after the end of the buffer, typically due to incorrect calculations or logic errors in the code.
• Exploitation Methods:
- Attackers can exploit this vulnerability to access sensitive data stored in adjacent memory locations.
- Common attack patterns include crafting input data to manipulate buffer boundaries and using specially crafted payloads to extract information.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized data access and information disclosure.
- Potential cascading effects involve destabilizing system behavior, leading to crashes or creating opportunities for further exploitation, such as code execution.
- Business impact may involve data breaches, reputational damage, legal liabilities, and financial losses.
• Prevention Guidelines:
- Specific code-level fixes include validating buffer sizes and indices, and implementing bounds checking to ensure memory access stays within valid buffer limits.
- Security best practices involve adopting a defensive programming mindset, using safe library functions that prevent buffer overflows, and implementing rigorous input validation.
- Recommended tools and frameworks include static analysis tools to detect potential out-of-bounds reads, using memory-safe languages when possible, and employing compiler options that enable runtime checks.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: C, C++
Affected Technologies: ICS/OT
Vulnerable Code Example
C Example: CWE-125 (Out-of-bounds Read)
#include <stdio.h>
#include <string.h>
void print_message(char *message) {
char buffer[10];
// Vulnerable code: potential buffer overflow if message length exceeds 9 characters
strcpy(buffer, message); // Unsafe: no bounds checking
printf("Message: %s\n", buffer);
}
int main() {
char message[] = "This message is too long for the buffer!";
print_message(message);
return 0;
}
Explanation:
- Vulnerability: The function
strcpy(buffer, message);does not check the length ofmessagebefore copying it intobuffer. Ifmessageexceeds the size ofbuffer, it will cause an out-of-bounds read and write, potentially leading to undefined behavior or a security vulnerability such as a buffer overflow.
How to fix Out-of-bounds Read?
To fix this vulnerability, we should ensure that we do not copy more data into the buffer than it can hold. This can be accomplished by using the strncpy function, which allows us to specify the maximum number of characters to copy, ensuring it does not exceed the buffer size. Additionally, we should ensure the buffer is null-terminated to prevent any unexpected behavior.
Specific Fixes:
- Use
strncpyto limit the number of characters copied to match the buffer size minus one for the null terminator. - Explicitly add a null terminator to the buffer after copying to ensure it is properly terminated.
Fixed Code Example
#include <stdio.h>
#include <string.h>
void print_message(char *message) {
char buffer[10];
// Fixed code: Use strncpy to prevent out-of-bounds read and write
strncpy(buffer, message, sizeof(buffer) - 1); // Copy up to buffer size minus one
buffer[sizeof(buffer) - 1] = '\0'; // Ensure null termination
printf("Message: %s\n", buffer);
}
int main() {
char message[] = "This message is too long for the buffer!";
print_message(message);
return 0;
}
Explanation:
- Fix: The line
strncpy(buffer, message, sizeof(buffer) - 1);ensures that we only copy at mostsizeof(buffer) - 1characters. This leaves space for the null terminator, which we explicitly set withbuffer[sizeof(buffer) - 1] = '\0';. This prevents any out-of-bounds reads and writes, ensuring the buffer is always properly terminated and safe from overflow vulnerabilities.