CWE-1389: Incorrect Parsing of Numbers with Different Radices
Learn about CWE-1389 (Incorrect Parsing of Numbers with Different Radices), its security impact, exploitation methods, and prevention guidelines.
What is Incorrect Parsing of Numbers with Different Radices?
• Overview: Incorrect Parsing of Numbers with Different Radices (CWE-1389) occurs when software assumes numeric inputs are in base 10 (decimal), but inputs may use other bases like octal or hexadecimal, leading to misinterpretation of values.
• Exploitation Methods:
- Attackers can input numbers with prefixes (e.g., "0" for octal, "0x" for hexadecimal) to manipulate how numbers are parsed.
- Common attack patterns include manipulating IP addresses or numeric identifiers to bypass security checks or access controls.
• Security Impact:
- Direct consequences of successful exploitation include unexpected numeric values being used in logic processing.
- Potential cascading effects could involve bypassing network security measures, such as IP-based access controls.
- Business impact includes unauthorized access to systems, leading to data breaches or service disruptions.
• Prevention Guidelines:
- Specific code-level fixes include explicitly specifying the radix when parsing numbers, e.g., using functions that require the base to be defined.
- Security best practices involve validating input to ensure it conforms to expected formats and ranges before processing.
- Recommended tools and frameworks include static analysis tools that can detect potential base misinterpretations and frameworks that enforce strict input validation.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not Technology-Specific
Vulnerable Code Example
def parse_number(user_input):
# This code assumes all input is base 10 (decimal) without validating the input base
try:
number = int(user_input) # This line assumes base 10 by default
print(f"Parsed number is {number}")
except ValueError:
print("Invalid number format")
# Example usage
parse_number("012") # This will be interpreted as decimal 12, but in some contexts, it might be octal 10
Explanation
In this example, the int() function is used to parse the input as a base 10 number by default. However, if a user inputs a number with a leading zero, it can be interpreted differently in various contexts (e.g., as an octal number). This can lead to unexpected behavior if the input is assumed to be in a different base, potentially causing logic errors or security vulnerabilities.
How to fix Incorrect Parsing of Numbers with Different Radices?
To fix this issue, we need to explicitly specify the base of the number we're parsing. This ensures that the input is always interpreted as intended, preventing the misunderstanding of number representations based on different radices. Using the int() function with a specified base allows us to safely parse numbers according to a consistent and predictable base, such as 10 for decimal.
Fixed Code Example
def parse_number(user_input):
# The base is explicitly specified to ensure correct parsing as a decimal
try:
number = int(user_input, 10) # Explicitly specifying base 10 for clarity and safety
print(f"Parsed number is {number}")
except ValueError:
print("Invalid number format")
# Example usage
parse_number("012") # This will now consistently be interpreted as decimal 12
Explanation
By explicitly specifying the base as 10 in the int() function, the code now reliably interprets user input as a decimal number, regardless of any leading zeros or other context-specific interpretations. This fix prevents potential errors or security issues arising from incorrect number parsing. It ensures that the input is consistently treated as a decimal, aligning with expected behavior and reducing the risk of unexpected results.