Community Edition
Total Tests:
This Week:
Today:
Cyber Law Blog
27 DDoS-for-Hire Platforms Neutralized in a Worldwide Police Crackdown
December 12, 2024
UK Busts Money Laundering Network Linked to Russian Cybercrime
December 5, 2024
A Hacker Charged For Breaching Organizations To Advertise His Cybersecurity Services
November 28, 2024
Phobos Ransomware Admin Extradited From South Korea
November 21, 2024
Dark Web Crypto Mixer Founder Sentenced to Over 12 Years for Money Laundering
November 14, 2024
OWASP Top 10
OWASP Top 10: Broken Access Control Practical Overview
March 9, 2021
OWASP Top 10: Cryptographic Failures Practical Overview
February 8, 2021
OWASP Top 10: Injection Practical Overview
January 11, 2021
OWASP Top 10: Insecure Design Practical Overview
October 18, 2021
OWASP Top 10: Security Misconfiguration Practical Overview
March 22, 2021
OWASP Top 10: Vulnerable and Outdated Components Practical Overview
May 10, 2021
OWASP Top 10: Identification and Authentication Failures Practical Overview
January 25, 2021
OWASP Top 10: Software and Data Integrity Failures Practical Overview
October 18, 2021
OWASP Top 10: Security Logging and Monitoring Failures Practical Overview
May 24, 2021
OWASP Top 10: Server-Side Request Forgery Practical Overview
October 18, 2021

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:


Your data will stay confidential Private and Confidential

Improper Handling of Length Parameter Inconsistency [CWE-130]

Improper Handling of Length Parameter Inconsistency is a security weakness that describes improper handling of a length field for associated data.

Improper Handling of Length Parameter Inconsistency [CWE-130]

Created: October 23, 2012
Latest Update: December 29, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References
  8. Latest Related Security Advisories

Want to have an in-depth understanding of all modern aspects of
Improper Handling of Length Parameter Inconsistency [CWE-130]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

This weakness describes a situation when the length of attacker-controlled input is inconsistent with the length of associated data. An attacker might be able to pass a large input to application, which can result in buffer errors.

The following example demonstrates this weakness:

  1. // Improper Handling of Length Parameter Inconsistency [CWE-130] vulnerable code example
  2. // (c) HTB Research
  3. #include "StdAfx.h"
  4. #include <stdlib.h>
  5. #include <stdio.h>
  6. #include <string>
  7.  
  8. int main(int argc, char **argv[]) {
  9.   char secretString[6] = {'A','A','A','A','A'};
  10.   char buf1[5];
  11.   int iLen = 0;
  12.   int iLen2 = 0;
  13.   int i = 0;
  14.   iLen = argc;
  15.   for (i = 0; i< iLen;i++) {
  16.     buf1[i] = secretString[i];
  17.   }
  18.   iLen2 = strlen(secretString);
  19.   printf("The buffer is: %s\n",buf1);
  20.   printf("The secretString length buffer is : %d\n",iLen2);
  21.   printf("This is the secret: %s\n",secretString);
  22.   exit(0);
  23.   return 0;
  24. }

In the above example, the iLen variable is used to exit the loop and is equal to number of parameters passed to the application. Its length is not checked against the length if the secretString string. If the iLen variable is greater than the length of the secretString string, the buffer overread occurs as demonstrated by output of the secretString.

Let us have a look at another example. The following code snippet demonstrates an unexpected behavior of the application.

  1. // Improper Handling of Length Parameter Inconsistency [CWE-130] vulnerable code example
  2. // (c) HTB Research
  3. #include "StdAfx.h"
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6.  
  7. int HandleData(char *data, int length) {
  8.   int isOK,index;
  9.   printf("Length is %d\n\n", length);
  10.   for (index = 0; index <= length; index++) {
  11.     printf("%c",data[index]);
  12.   }
  13.   return isOK;
  14. }
  15.  
  16. int main(int argc, char *argv[])
  17. {
  18.   char *data = "This is fake data from a TCP paquet";
  19.   int data_length = atoi(argv[1]);
  20.   HandleData(data,data_length);
  21. }

The HandleData() function receives two arguments. The first one is the data contained in the transmitted packet, and the second is the length of the data stream.

It is expected that the "length" variable is used to read data contained in the buffer. The following image demonstrates a normal behavior of the application:

CWE-130 PoC exploitation example
Figure - The first 20 bytes are read from the buffer

The application reads the buffer and obtains the first 20 bytes from it. In the next test we will try to read 2000 bytes from this buffer:

CWE-130 PoC exploitation example
Figure - The application read data outside the bounds

The length of the passed value is larger than the size of the buffer and application is able to read data outside of the bounds. A very large value can lead to application crash:

CWE-130 PoC exploitation example
Figure - The application crashes instantly when the passed value is equal to 20000 bytes

CWE-130 PoC exploitation example
Figure - The application crashes when the passed value is equal to 20000 bytes


This weakness is a child of CWE-119: Buffer errors.

2. Potential impact

An attacker, who controls input length, might be able to read or write data to arbitrary memory locations and gain access to potentially sensitive information, cause application crash or execute arbitrary code on the target system.

How to Detect Improper Handling of Length Parameter Inconsistency Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Attack patterns

This weakness has one CAPEC pattern:


Buffer overflow vulnerability is described as a common attack type under WASC-7 in WASC Threat Classification.

4. Affected software

Software written in languages such as C and C++ that does not perform memory management is potentially vulnerable to this weakness.

5. Severity and CVSS Scoring

This weakness could lead to memory disclosure, crash or execution of arbitrary code. In case of information disclosure it should be scored as C:L/I:N/A:N.

Information disclosure

This example demonstrates a case remote information disclosure:
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] – Medium severity.

Denial of service

If an attacker is able to crash the affected application, it should be scored as C:N/I:N/A:H:
7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H] – High severity.

Remote code execution

If application allows remote code execution, this weakness should be scored as:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] – Critical severity.

6. Mitigations

The main approach in defending application from this type of weakness is to perform checks on size fields. It is important to resolve any inconsistencies between the size of the field and the actual input data. When possible, avoid using attacker-controlled data to set the size of the buffer.

7. References

  1. CWE-130: Improper Handling of Length Parameter Inconsistency [cwe.mitre.org]

8. Improper Handling of Length Parameter Inconsistency Vulnerabilities, Exploits and Examples


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top

This website uses cookies to provide you with a better surfing experience. To learn more, please visit our Privacy Policy. By continuing to use this website you consent to our use of cookies.

Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential