1

If a CVE lists a buffer overflow vulnerability, but not a remote code execution, should I interpret that as:

  1. This vulnerability has not been confirmed to expose RCE, or
  2. This vulnerability has been confirmed to not expose RCE, or
  3. Somebody (who?) thinks that it probably doesn't expose RCE.

Or something else? Is this information generally reliable?

Edit: Confirming an RCE vulnerability after the initial discovery can be very difficult and time-consuming. I imagine that researchers sometimes report segmentation faults without first confirming the full extent of the exposure, which led me to this question.

jtpereyda
  • 1,430
  • 2
  • 16
  • 26

1 Answers1

1

You should interpret it as such, an untrusted input is able to write to section in memory that it isn't supposed to write because application fails to check its size.

I think you are in the mindset of always categorising RCE as extension of buffer overflow when they could be different issues altogether. Take for instance RCE due to remote file inclusion, or flaws in web applications that utilise eval in scripting languages or take untrusted input to run an OS command. These are RCEs but not necessarily BOF.

I guess what I'm saying is, a buffer overflow can be treated as its own category that describes what a vulnerability is and how it happens. It could potentially be extended to RCE or DoS, but overflow is quite perfect to understand it.

When you see an overflow vulnerability, you can always check associated publicly released exploit code and read more about it to see if there's DoS or RCE. Most (if not all) BOFs are at a minimum already DoS. Also, it is possible to read that an overflow leads to RCE, but you can't find any public exploit. This is common, especially in software that are proprietary. This doesn't mean that it's unconfirmed, its just that the researcher(s) never released to the public and may be part of proprietary security tools.

Link
  • 496
  • 4
  • 7
  • The key issue I'm wondering about is the effort required to determine *whether* RCE is possible given any exploit, buffer overflow or otherwise. If the CVE doesn't mention RCE, does that meant that they've done the footwork to make sure RCE isn't possible? Or does it mean that they just don't know if it's possible? – jtpereyda Jan 05 '17 at 16:14
  • I think it is based on the extent of the report submitted. I guess bottomline is, Mitre doesn't really go and check the extent of a reported vulnerability. Also, most of the time and for faster processing, researchers report it to vendors / developers and they are the one who submits to Mitre, so the content, including info on whether you can do RCE or not with a buffer overflow might depend on the report submitted by the vendor. – Link Jan 06 '17 at 06:59