Missing Parameter

From Guidance Share

Jump to: navigation, search

Contents

Description

If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.

Applies To

  • Languages: C or C++
  • Operating platforms: Any

Example

The following code shows how a missing parameter can result in a security vulnerability:

foo_funct(one, two);
...
void foo_funct(int one, int two, int three) {
 printf(ā€œ1) %d\n2) %d\n3) %d\nā€, one, two, three);
}

This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it. Another example is:

void some_function(int foo, ...) {
 int a[3], i;
 va_list ap;
 va_start(ap, foo);
 for (i = 0; i < sizeof(a) / sizeof(int); i++)
   a[i] = va_arg(ap, int);
 va_end(ap);
}
 
int main(int argc, char *argv[]) {
  some_function(17, 42);
}

This code iterates through a list of three arguments, regardless of how many have been passed to the function.

Impact

  • Authorization: There is the potential for arbitrary code execution with privileges of the vulnerable program if a function parameter list is exhausted.
  • Availability: Potentially a program could fail if it needs more arguments then are available.
  • Confidentiality: Contents of memory could be disclosed to an attacker.

Vulnerabilities

Countermeasures

  • Implementation: Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.

Vulnerability Patterns

How Tos

Personal tools