Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-123 (任意地址可写任意内容条件) — Vulnerability Class 32

32 vulnerabilities classified as CWE-123 (任意地址可写任意内容条件). AI Chinese analysis included.

CWE-123 represents a critical memory safety vulnerability where an attacker gains the ability to write arbitrary data to arbitrary memory locations, frequently resulting from unchecked buffer overflows. This weakness allows malicious actors to overwrite critical program structures, such as return addresses or function pointers, thereby hijacking control flow to execute injected shellcode or arbitrary commands. Exploitation typically involves crafting specific input that exceeds buffer boundaries, corrupting adjacent memory to achieve remote code execution or privilege escalation. To mitigate this risk, developers must implement rigorous bounds checking on all array accesses and buffer operations. Utilizing modern, memory-safe programming languages that handle memory management automatically, employing compiler-based protections like stack canaries and Address Space Layout Randomization, and conducting thorough static and dynamic code analysis are essential strategies to prevent such arbitrary writes and ensure application integrity.

MITRE CWE Description
Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Common Consequences (3)
Integrity, Confidentiality, Availability, Access ControlModify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, Bypass Protection Mechanism
Clearly, write-what-where conditions can be used to write data to areas of memory outside the scope of a policy. Also, they almost invariably can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. If the attacker can overwrite a pointer's w…
Integrity, AvailabilityDoS: Crash, Exit, or Restart, Modify Memory
Many memory accesses can lead to program termination, such as when writing to addresses that are invalid for the current process.
Access Control, OtherBypass Protection Mechanism, Other
When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
Mitigations (2)
Architecture and DesignUse a language that provides appropriate memory abstractions.
OperationUse OS-level preventative functionality integrated after the fact. Not a complete solution.
Examples (1)
The classic example of a write-what-where condition occurs when the accounting information for memory allocations is overwritten in a particular fashion. Here is an example of potentially vulnerable code:
#define BUFSIZE 256 int main(int argc, char **argv) { char *buf1 = (char *) malloc(BUFSIZE); char *buf2 = (char *) malloc(BUFSIZE); strcpy(buf1, argv[1]); free(buf2); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2018-15376 Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers Arbitrary Memory Write Vulnerabilities — Cisco IOS Software 6.7 -2018-10-05
CVE-2018-15375 Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers Arbitrary Memory Write Vulnerabilities — Cisco IOS Software 6.7 -2018-10-05

Vulnerabilities classified as CWE-123 (任意地址可写任意内容条件) represent 32 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.