Scribd
Upload
85 views3 pages

Cwe - Cwe-121

This document describes CWE-121: Stack-based Buffer Overflow, a common software weakness where a buffer allocated on the stack is overwritten. The weakness can allow attackers to execute arbitrary code or crash programs. Examples in C code demonstrate how buffers can be overflowed. Potential mitigations include bounds checking, ASLR, and stack canaries.

Uploaded by

vinaybhadeshiya6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views3 pages

Cwe - Cwe-121

This document describes CWE-121: Stack-based Buffer Overflow, a common software weakness where a buffer allocated on the stack is overwritten. The weakness can allow attackers to execute arbitrary code or crash programs. Examples in C code demonstrate how buffers can be overflowed. Potential mitigations include bounds checking, ASLR, and stack canaries.

Uploaded by

vinaybhadeshiya6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that


can become vulnerabilities

Home About ▼ CWE List ▼ Mapping ▼ Top-N Lists ▼ Community ▼ News ▼ Search

CWE-121: Stack-based Buffer Overflow


Weakness ID: 121
Vulnerability Mapping: ALLOWED
Abstraction: Variant

Mapping
View customized information: Conceptual Operational Complete Custom
Friendly

Description
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a
local variable or, rarely, a parameter to a function).
Alternate Terms

Stack Overflow: "Stack Overflow" is often used to mean the same thing as stack-based buffer overflow, however it
is also used on occasion to mean stack exhaustion, usually a result from an excessively
recursive function call. Due to the ambiguity of the term, use of stack overflow to describe either
circumstance is discouraged.
Relationships
Relevant to the view "Research Concepts" (CWE-1000)
Nature Type ID Name
ChildOf 787 Out-of-bounds Write
ChildOf 788 Access of Memory Location After End of Buffer

Modes Of Introduction

Phase Note
Implementation

Applicable Platforms
Languages
C (Undetermined Prevalence)
C++ (Undetermined Prevalence)
Demonstrative Examples
Example 1
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack-based
buffer overflows:

Example Language: C (bad code)

#define BUFSIZE 256


int main(int argc, char **argv) {
char buf[BUFSIZE];
strcpy(buf, argv[1]);
}

The buffer size is fixed, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.
Example 2
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into
a buffer.

Example Language: C (bad code)

void host_lookup(char *user_supplied_addr){


struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);

/*routine that ensures user_supplied_addr is in the right format for conversion */

validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);
}
This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be
larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may
overwrite sensitive data or even relinquish control flow to the attacker.
Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-
476).
Observed Examples

Reference Description
CVE-2021-35395 Stack-based buffer overflows in SFK for wifi chipset used for IoT/embedded devices, as
exploited in the wild per CISA KEV.

Potential Mitigations

Phases: Operation; Build and Compilation


Strategy: Environment Hardening

Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler
extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag,
StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index
checking.
D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Effectiveness: Defense in Depth
Note:

This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In
addition, the result is still a denial of service, since the typical response is to exit the application.

Phase: Architecture and Design


Use an abstraction library to abstract away risky APIs. Not a complete solution.

Phase: Implementation
Implement and perform bounds checking on input.

Phase: Implementation
Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.

Phases: Operation; Build and Compilation


Strategy: Environment Hardening

Run or compile the software using features or extensions that randomly arrange the positions of a program's
executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker
from reliably jumping to exploitable code.
Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent
Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses
conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-
1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it
would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND
[REF-1335].
Effectiveness: Defense in Depth

Note: These techniques do not provide a complete solution. For instance, exploits frequently use a bug that
discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown
that a side-channel attack can bypass ASLR [REF-1333]
Memberships

Nature Type ID Name


MemberOf 970 SFP Secondary Cluster: Faulty Buffer Access
MemberOf 1160 SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR)
MemberOf 1161 SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR)
MemberOf 1365 ICS Communications: Unreliability
MemberOf 1366 ICS Communications: Frail Security in Protocols
MemberOf 1399 Comprehensive Categorization: Memory Safety

Vulnerability Mapping Notes

Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities)

Reason: Acceptable-Use

Rationale:

This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root
causes of vulnerabilities.
Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a
mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Content History
Submissions
Submission Date Submitter Organization
2006-07-19 CLASP
(CWE Draft 3, 2006-07-19)
Modifications

You might also like