Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-52:Embedding NULL Bytes
Attack Pattern ID:52
Version:v3.9
Attack Pattern Name:Embedding NULL Bytes
Abstraction:Detailed
Status:Draft
Likelihood of Attack:High
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfS267Leverage Alternate Encoding
Nature: ChildOf
Type: Standard
ID: 267
Name: Leverage Alternate Encoding
▼Execution Flow
Explore
1.

Survey the application for user-controllable inputs

Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

Technique
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Manually inspect the application to find entry points.
Experiment
1.

Probe entry points to locate vulnerabilities

The adversary uses the entry points gathered in the "Explore" phase as a target list and injects postfix null byte(s) to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.

Technique
Try different encodings for null such as \0 or %00
Exploit
1.

Remove data after null byte(s)

After determined entry points that are vulnerable, the adversary places a null byte(s) such that they remove data after the null byte(s) in a way that is beneficial to them.

Technique
If the input is a directory as part of a longer file path, add a null byte(s) at the end of the input to try to traverse to the given directory.
▼Prerequisites
The program does not properly handle postfix NULL terminators
▼Skills Required
Medium

Directory traversal

High

Execution of arbitrary code

▼Resources Required
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
IntegrityN/AModify DataN/A
ConfidentialityN/ARead DataN/A
ConfidentialityAccess ControlAuthorizationN/AGain PrivilegesN/A
ConfidentialityIntegrityAvailabilityN/AExecute Unauthorized CommandsRun Arbitrary Code
Scope: Integrity
Likelihood: N/A
Impact: Modify Data
Note: N/A
Scope: Confidentiality
Likelihood: N/A
Impact: Read Data
Note: N/A
Scope: Confidentiality, Access Control, Authorization
Likelihood: N/A
Impact: Gain Privileges
Note: N/A
Scope: Confidentiality, Integrity, Availability
Likelihood: N/A
Impact: Execute Unauthorized Commands
Note: Run Arbitrary Code
▼Mitigations
Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.
▼Example Instances
▼Related Weaknesses
IDName
CWE-158Improper Neutralization of Null Byte or NUL Character
CWE-172Encoding Error
CWE-173Improper Handling of Alternate Encoding
CWE-20Improper Input Validation
CWE-697Incorrect Comparison
CWE-707Improper Neutralization
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ID: CWE-158
Name: Improper Neutralization of Null Byte or NUL Character
ID: CWE-172
Name: Encoding Error
ID: CWE-173
Name: Improper Handling of Alternate Encoding
ID: CWE-20
Name: Improper Input Validation
ID: CWE-697
Name: Incorrect Comparison
ID: CWE-707
Name: Improper Neutralization
ID: CWE-74
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
WASC28Null Byte Injection
OWASP AttacksN/AEmbedding Null Code
Taxonomy Name: WASC
Entry ID: 28
Entry Name: Null Byte Injection
Taxonomy Name: OWASP Attacks
Entry ID: N/A
Entry Name: Embedding Null Code
▼Notes
▼References
Reference ID: REF-1
Title: Exploiting Software: How to Break Code
Author: G. Hoglund, G. McGraw
Publication:
Publisher:Addison-Wesley
Edition:
URL:
URL Date:
Day:N/A
Month:02
Year:2004
Reference ID: REF-445
Title: Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability
Author:
Publication:
iDefense Labs Public Advisory
Publisher:Verisign, Inc.
Edition:
URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=126
URL Date:
Day:13
Month:08
Year:2004
Reference ID: REF-446
Title: PHP Input Validation Vulnerabilities
Author:
Publication:
Bugtraq mailing list archive
Publisher:
Edition:
URL:http://msgs.securepoint.com/bugtraq/
URL Date:
Day:N/A
Month:N/A
Year:N/A
Details not found