CWE-123Write-what-where Condition

Description

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

Common consequences

• Integrity,Confidentiality,Availability,Access Control→Modify Memory,Execute Unauthorized Code or Commands,Gain Privileges or Assume Identity,DoS: Crash, Exit, or Restart,Bypa
  Clearly, write-what-where conditions can be used to write data to areas of memory outside the scope of a policy. Also, they almost invariably can be used to execute arbitrary code, which is usually outside the scope of a program's implicit
• Integrity,Availability→DoS: Crash, Exit, or Restart,Modify Memory
  Many memory accesses can lead to program termination, such as when writing to addresses that are invalid for the current process.
• Access Control,Other→Bypass Protection Mechanism,Other
  When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

Potential mitigations

• Architecture and Design
  Use a language that provides appropriate memory abstractions.
• Operation
  Use OS-level preventative functionality integrated after the fact. Not a complete solution.

Related CWEs

Recent CVEs classified under this CWE