ByteOS Network

CWE-626:Null Byte Interaction Error (Poison Null Byte)

Weakness ID:626

Version:v4.17

Weakness Name:Null Byte Interaction Error (Poison Null Byte)

Vulnerability Mapping:Allowed

Abstraction:Variant

Structure:Simple

Status:Draft

Details Content History Observed CVE Examples Reports

▼Description

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

▼Extended Description

A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected.

The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed	V	147	Improper Neutralization of Input Terminators
ChildOf	Allowed-with-Review	C	436	Interpretation Conflict

Nature: ChildOf

Mapping: Allowed

Type: Variant

ID: 147

Name: Improper Neutralization of Input Terminators

Nature: ChildOf

Mapping: Allowed-with-Review

Type: Class

ID: 436

Name: Interpretation Conflict

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	990	SFP Secondary Cluster: Tainted Input to Command
MemberOf	Prohibited	C	1407	Comprehensive Categorization: Improper Neutralization

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 990

Name: SFP Secondary Cluster: Tainted Input to Command

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1407

Name: Comprehensive Categorization: Improper Neutralization

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-242	Weaknesses in Software Written in ASP.NET
MemberOf	Prohibited	BS	BOSS-250	Weaknesses in Software Written in Perl
MemberOf	Prohibited	BS	BOSS-315	Unexpected State (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-242

Name: Weaknesses in Software Written in ASP.NET

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-250

Name: Weaknesses in Software Written in Perl

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-315

Name: Unexpected State (impact)

▼Relevant To View

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	990	SFP Secondary Cluster: Tainted Input to Command

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 990

Name: SFP Secondary Cluster: Tainted Input to Command

▼Common Consequences

Scope	Likelihood	Impact	Note
Integrity	N/A	Unexpected State	N/A

Scope: Integrity

Likelihood: N/A

Impact: Unexpected State

Note:

N/A

▼Potential Mitigations

Phase:Implementation

Description:

Remove null bytes from all incoming strings.

▼Modes Of Introduction

Phase: Implementation

Note:

N/A

▼Applicable Platforms

Languages

PHP(Undetermined Prevalence)

Perl(Undetermined Prevalence)

ASP.NET(Undetermined Prevalence)

▼Observed Examples

Reference	Description
CVE-2005-4155	NUL byte bypasses PHP regular expression check
CVE-2005-3153	inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection

Reference: CVE-2005-4155

Description:

NUL byte bypasses PHP regular expression check

Reference: CVE-2005-3153

Description:

inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection

▼Weakness Ordinalities

Ordinality	Description
Primary	N/A

Ordinality: Primary

Description:

N/A

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Notes

Terminology

Current usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.

Research Gap

There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.

▼References

Reference ID: REF-514

Title: Poison NULL byte

Author: Rain Forest Puppy

Publication:

Phrack 55

URL:https://insecure.org/news/P55-07.txt

URL Date:2023-04-07

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-515

Title: 0x00 vs ASP file upload scripts

Author: Brett Moore

Publication:

URL:http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-516

Title: ShAnKaR: multiple PHP application poison NULL byte vulnerability

Author: ShAnKaR

Publication:

URL:https://seclists.org/fulldisclosure/2006/Sep/185

URL Date:2023-04-07

Day:N/A

Month:N/A

Year:N/A