ABSTRACT

The _mbs family of functions is susceptible to buffer overflow when manipulating malformed multibyte strings.

EXPLANATION

Windows provides the _mbs family of functions to perform various operations on multibyte strings. When these functions are passed a malformed multibyte string, such as a string containing a valid leading byte followed by a single null byte, they can read or write past the end of the string buffer causing a buffer overflow. The following functions all pose a risk of buffer overflow:


_mbsinc
_mbsdec
_mbsncat
_mbsncpy
_mbsnextc
_mbsnset
_mbsrev
_mbsset
_mbsstr
_mbstok
_mbccpy
_mbslen

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3590.1 CAT I

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 176, CWE ID 251

[4] MBCS Programming Tips Microsoft

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.2

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.5

[8] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press