CWE-125 ("Out-of-bounds Read") extended description

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE-125 ("Out-of-bounds Read") extended description

Will Klieber

I noticed that the Extended Description for CWE-125 ("Out-of-bounds Read") is the same as for CWE-787 (“Out-of-bounds Write”) and contains the following sentence: “This may result in corruption of sensitive information, a crash, or code execution among other things”.  However, it seems to me that data corruption and code execution can be directly caused only by writes, not reads.  So, I suggest rewording this sentence in CWE-125 as follows: “This may result in disclosure of sensitive information or a crash, among other things”.

 

Thanks,

Will

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: CWE-125 ("Out-of-bounds Read") extended description

Andrew Buttner
Administrator
Thank you for pointing this out. I agree that we need to improve these extended descriptions. I will add this to our list for the next release.

Thanks
Drew


> -----Original Message-----
> From: [hidden email] [mailto:owner-cwe-research-
> [hidden email]] On Behalf Of Will Klieber
> Sent: Friday, November 17, 2017 7:20 PM
> To: cwe-research-list CWE Research Discussion <cwe-research-
> [hidden email]>
> Subject: CWE-125 ("Out-of-bounds Read") extended description
>
> I noticed that the Extended Description for CWE-125 ("Out-of-bounds Read")
> is the same as for CWE-787 ("Out-of-bounds Write") and contains the
> following sentence: "This may result in corruption of sensitive information, a
> crash, or code execution among other things".  However, it seems to me that
> data corruption and code execution can be directly caused only by writes, not
> reads.  So, I suggest rewording this sentence in CWE-125 as follows: "This
> may result in disclosure of sensitive information or a crash, among other
> things".
>
>
>
> Thanks,
>
> Will
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: CWE-125 ("Out-of-bounds Read") extended description

Christey, Steven M.
I would say that out-of-bounds reads *can* lead to memory corruption, and have done so, but CWE-125 doesn't do a good job of demonstrating this.  (That said, at the very least our primary phrasing shouldn't be about "corrupting" sensitive information.)

As an example, suppose the program expects to read a null-terminated string; that is, it will read memory until it sees a null, and store the result in a string of up to, say, STRING_SIZE.  Suppose it correctly allocates strings that are only maximum STRING_SIZE.

If the attacker can cause some kind of out-of-bounds read to occur during the string-reading step, then the program will start reading from memory locations where a null might not exist within the STRING_SIZE boundary.  The program would not stop until it reaches some kind of null.  This long read, then, would wind up creating a buffer overflow.  An attacker who can control the *contents* of the data being read (as is often used in chained exploits these days), then the overflow could possibly be used in memory corruption, too.

One could characterize this situation from the perspective of the write, but the *root cause* in my example is the incorrect read.

- Steve


> -----Original Message-----
> From: [hidden email] [mailto:owner-cwe-research-
> [hidden email]] On Behalf Of Buttner, Drew
> Sent: Monday, November 20, 2017 10:03 AM
> To: cwe-research-list CWE Research Discussion <cwe-research-
> [hidden email]>
> Subject: RE: CWE-125 ("Out-of-bounds Read") extended description
>
> Thank you for pointing this out. I agree that we need to improve these extended
> descriptions. I will add this to our list for the next release.
>
> Thanks
> Drew
>
>
> > -----Original Message-----
> > From: [hidden email] [mailto:owner-cwe-research-
> > [hidden email]] On Behalf Of Will Klieber
> > Sent: Friday, November 17, 2017 7:20 PM
> > To: cwe-research-list CWE Research Discussion <cwe-research-
> > [hidden email]>
> > Subject: CWE-125 ("Out-of-bounds Read") extended description
> >
> > I noticed that the Extended Description for CWE-125 ("Out-of-bounds Read")
> > is the same as for CWE-787 ("Out-of-bounds Write") and contains the
> > following sentence: "This may result in corruption of sensitive information, a
> > crash, or code execution among other things".  However, it seems to me that
> > data corruption and code execution can be directly caused only by writes, not
> > reads.  So, I suggest rewording this sentence in CWE-125 as follows: "This
> > may result in disclosure of sensitive information or a crash, among other
> > things".
> >
> >
> >
> > Thanks,
> >
> > Will
> >
> > To unsubscribe, send an email message to [hidden email] with
> > SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have
> > difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].