|
|
Line 1: |
Line 1: |
− | {{Template:Vulnerability}}
| + | #REDIRECT [[Doubly_freeing_memory]] |
− | {{Template:Fortify}}
| |
− | | |
− | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| |
− | | |
− | [[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]] | |
− | | |
− | ==Description==
| |
− | | |
− | Double free errors occur when free() is called more than once with the same memory address as an argument.
| |
− | | |
− | Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces. This corruption can cause the program to crash or, in some circumstances, alter the execution flow. By overwriting particular registers or memory spaces, an attacker can trick the program into executing code of his/her own choosing, often resulting in an interactive shell with elevated permissions.
| |
− | | |
− | When a buffer is free()'d, a linked list of free buffers is read to rearrange and combine the chunks of free memory (to be able to allocate larger buffers in the future). These chunks are laid out in a double linked list which points to previous and next chunks. Unlinking an unused buffer (which is what happens when free() is called) could allow an attacker to write arbitrary values in memory; essentially overwriting valuable registers, calling shellcode from it's own buffer.
| |
− | | |
− | ==Risk Factors==
| |
− | | |
− | * Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
| |
− | * Discuss the technical impact of a successful exploit of this vulnerability
| |
− | * Consider the likely [business impacts] of a successful attack
| |
− | | |
− | | |
− | ==Examples==
| |
− | | |
− | The following code shows a simple example of a double free vulnerability.
| |
− | | |
− | <pre>
| |
− | char* ptr = (char*)malloc (SIZE);
| |
− | ...
| |
− | if (abrt) {
| |
− | free(ptr);
| |
− | }
| |
− | ...
| |
− | free(ptr);
| |
− | </pre>
| |
− | | |
− | Double free vulnerabilities have three common (and sometimes overlapping) causes:
| |
− | | |
− | * Error conditions and other exceptional circumstances
| |
− | * Usage of the memory space after it's freed.
| |
− | * Confusion over which part of the program is responsible for freeing the memory
| |
− | | |
− | Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
| |
− | | |
− | | |
− | | |
− | ==Related [[Attacks]]==
| |
− | | |
− | * [[Heap_overflow]]
| |
− | * [[Buffer_overflow_attack]]
| |
− | | |
− | | |
− | ==Related [[Vulnerabilities]]==
| |
− | | |
− | * [[Vulnerability 1]]
| |
− | * [[Vulnerabiltiy 2]]
| |
− | | |
− | | |
− | ==Related [[Controls]]==
| |
− | | |
− | * [[Control 1]]
| |
− | * [[Control 2]]
| |
− | | |
− | | |
− | ==Related [[Technical Impacts]]==
| |
− | | |
− | * [[Technical Impact 1]]
| |
− | * [[Technical Impact 2]]
| |
− | | |
− | | |
− | ==References==
| |
− | TBD
| |
− | | |
− | [[Category:FIXME|add links
| |
− | | |
− | In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
| |
− | | |
− | Availability Vulnerability
| |
− | | |
− | Authorization Vulnerability
| |
− | | |
− | Authentication Vulnerability
| |
− | | |
− | Concurrency Vulnerability
| |
− | | |
− | Configuration Vulnerability
| |
− | | |
− | Cryptographic Vulnerability
| |
− | | |
− | Encoding Vulnerability
| |
− | | |
− | Error Handling Vulnerability
| |
− | | |
− | Input Validation Vulnerability
| |
− | | |
− | Logging and Auditing Vulnerability
| |
− | | |
− | Session Management Vulnerability]]
| |
− | | |
− | __NOTOC__
| |
− | | |
− | | |
− | [[Category:OWASP ASDR Project]]
| |
− | [[Category:Code Quality Vulnerability]]
| |
− | [[Category:Implementation]]
| |
− | [[Category:Code Snippet]]
| |
− | [[Category:Vulnerability]]
| |