ASP.NET 2.0 Security Inspection Questions - Potentially Dangerous Unmanaged APIs
From Guidance Share
- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Jason Taylor, Rudolph Araujo
Unmanaged API Vulnerabilities and Implications
|
Vulnerability |
Implications |
|---|---|
|
A potentially dangerous unmanaged API is called improperly |
An attacker could exploit the weakness in the potentially dangerous API to gain access to arbitrary memory locations or run arbitrary code. |
In addition to the checks performed for unsafe code, you should review unmanaged code for the use of potentially dangerous APIs such as strcpy and strcat. Be sure to review any interop calls, as well as the unmanaged code itself, to make sure that bad assumptions are not made as execution control passes from managed to unmanaged code.
Does the code call potentially dangerous unmanaged APIs?
Potentially dangerous unmanaged functions can be categorized as follows:
- Unbound Functions (UF). These functions do not expect an explicit bound parameter for the number of bytes that might be modified for one of their parameters. These are typically the most dangerous functions and should never be used.
- NULL Terminated Functions (NTF). These functions require a NULL terminated string. If they are provided a string without NULL termination, they could overwrite memory. If the code uses NULL terminated functions, make sure that the loop does not have an additional placeholder for NULL; for example, for(i = 0; i <= 512; i++) should be < 512 not <= 512.
- Non-NULL Terminated Functions (NNTF). The output of most string functions is NULL terminated; however, the output of a few is not. These require special treatment to avoid programming defects. If the code uses non-NULL terminated functions, make sure that the loop does have an additional placeholder for NULL.
- Format Functions (FF). Format string functions allow a programmer to format their input and output. If the format is not provided, data can be manipulated and can lead to programming defects.
The following table shows a range of potentially dangerous unmanaged APIs and the associated categories into which they fall.
Potentially Dangerous Unmanaged APIs
| Functions | Category |
| Strcpy | UF, NTF |
| Strcat | UF, NTF |
| Strcat | NTF |
| Strlen | NTF |
| Strncpy | NNTF |
| Strncat | NNTF |
| Strcmp | NTF |
| Strcmp | NTF |
| Mbcstows | NNTF |
| _strdup | NTF |
| _strrev | NTF |
| Strstr | NTF |
| Strstr | NTF |
| Sprintf | FF, NTF |
| _snprintf | FF, NTF |
| Printf | FF, NTF |
| Fprintf | FF, NTF |
| Gets | UF |
| Scanf | FF, NTF |
| Fscanf | FF, NTF |
| Sscanf | FF, NTF |
| Strcspn | NTF |
| MultiByteToWideChar | NNTF |
| WideCharToMultiByte | NNTF |
| GetShortPathNameW | NTF |
| GetLongPathNameW | NTF |
| WinExec | NTF |
| CreateProcessW | NTF |
| GetEnvironmentVariableW | NTF |
| SetEnvironmentVariableW | NTF |
| SetEnvironmentVariableW | NTF |
| ExpandEnvironmentStringsW | NTF |
| SearchPathW | NTF |
| SearchPathW | NTF |
| SearchPathW | NTF |
| Lstrcpy | UF, NTF |
| Wcscpy | UF, NTF |
| _mbscpy | UF, NTF |
| StrCpyA | UF, NTF |
| StrCpyW | UF, NTF |
| lstrcatA | UF, NTF |
| lstrcatW | UF, NTF |
| Wcscat | UF, NTF |
| _mbscat | UF, NTF |
| Wcslen | NTF |
| _mbslen | NTF |
| _mbstrlen | NTF |
| lstrlenA | NTF |
| lstrlenW | NTF |
| Wcsncpy | NNTF |
| _mbsncpy | NNTF |
| StrCpyN | NNTF |
| lstrcpynW | NTF |
| lstrcatnA | NTF |
| lstrcatnW | NTF |
| Wcsncat | NTF |
| _mbsncat | NTF |
| _mbsnbcat | NTF |
| lstrcmpA | NTF |
| lstrcmpW | NTF |
| StrCmp | NTF |
| Wcscmp | NTF |
| _mbscmp | NTF |
| Strcoll | NTF |
| Wcscoll | NTF |
| _mbscoll | NTF |
| _stricmp | NTF |
| lstrcmpiA | NTF |
| lstrcmpiW | NTF |
| _wcsicmp | NTF |
| _mbsicmp | NTF |
| StrCmp | NTF |
| _stricoll | NTF |
| _wcsicoll | NTF |
| _mbsicoll | NTF |
| StrColl | NTF |
| _wcsdup | NTF |
| _mbsdup | NTF |
| StrDup | NTF |
| _wcsrev | NTF |
| _mbsrev | NTF |
| _strlwr | NTF |
| _mbslwr | NTF |
| _wcslwr | NTF |
| _strupr | NTF |
| _mbsupr | NTF |
| _wcsupr | NTF |
| Wcsstr | NTF |
| _mbsstr | NTF |
| Strspn | NTF |
| Wcsspn | NTF |
| _mbsspn | NTF |
| Strpbrk | NTF |
| Wcspbrk | NTF |
| _mbspbrk | NTF |
| Wcsxfrm | NTF |
| Wcscspn | NTF |
| _mbcscpn | NTF |
| Swprintf | FF |
| wsprintfA | FF |
| wsprintfW | FF |
| Vsprintf | FF |
| Vswprintf | FF |
| _snwprintf | FF |
| _vsnprintf | FF |
| _vsnwprintf | FF |
| Vprintf | FF |
| Vwprintf | FF |
| Vfprintf | FF |
| Vwfprintf | FF |
| _getws | UF |
| Fwscanf | FF |
| Wscanf | FF |
| Swscanf | FF |
| OemToCharA | UF, NTF |
| OemToCharW | UF, NTF |
| CharToOemA | UF, NTF |
| CharToOemW | UF, NTF |
| CharUpperA | NTF |
| CharUpperW | NTF |
| CharUpperBuffW | NTF |
| CharLowerA | NTF |
| CharLowerW | NTF |
| CharLowerBuffW | NTF |
