Missing Parameter
From Guidance Share
Revision as of 02:25, 30 October 2006; Admin (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Contents |
[edit]
Description
If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.
[edit]
Applies To
- Languages: C or C++
- Operating platforms: Any
[edit]
Example
The following code shows how a missing parameter can result in a security vulnerability:
foo_funct(one, two);
...
void foo_funct(int one, int two, int three) {
printf(“1) %d\n2) %d\n3) %d\n”, one, two, three);
}
This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it. Another example is:
void some_function(int foo, ...) {
int a[3], i;
va_list ap;
va_start(ap, foo);
for (i = 0; i < sizeof(a) / sizeof(int); i++)
a[i] = va_arg(ap, int);
va_end(ap);
}
int main(int argc, char *argv[]) {
some_function(17, 42);
}
This code iterates through a list of three arguments, regardless of how many have been passed to the function.
[edit]
Impact
- Authorization: There is the potential for arbitrary code execution with privileges of the vulnerable program if a function parameter list is exhausted.
- Availability: Potentially a program could fail if it needs more arguments then are available.
- Confidentiality: Contents of memory could be disclosed to an attacker.
[edit]
Vulnerabilities
[edit]
Countermeasures
- Implementation: Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.
[edit]
Vulnerability Patterns
[edit]
