CWE-123 Base Draft High likelihood

Write-what-where Condition

A write-what-where condition occurs when an attacker can control both the data written and the exact memory location where it's written, often due to a severe memory corruption flaw like a buffer…

Definition

What is CWE-123?

A write-what-where condition occurs when an attacker can control both the data written and the exact memory location where it's written, often due to a severe memory corruption flaw like a buffer overflow.
This vulnerability is one of the most dangerous memory corruption issues. It gives an attacker near-total control over a program's execution by allowing them to overwrite critical data or code pointers in memory. Think of it as an attacker having a precise remote control to edit the program's own instruction manual while it's running, which can directly lead to arbitrary code execution. For developers, this highlights the critical importance of secure memory management. Preventing this condition requires rigorous bounds checking, using safe functions that limit write lengths, and employing modern security features like address space layout randomization (ASLR) and stack canaries. It's often the final, exploitable result of simpler bugs like buffer overflows, making those initial flaws far more severe.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-123

  • CVE-2019-19911

    Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).

  • CVE-2022-0545

    Chain: 3D renderer has an integer overflow (CWE-190) leading to write-what-where condition (CWE-123) using a crafted image.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    The classic example of a write-what-where condition occurs when the accounting information for memory allocations is overwritten in a particular fashion. Here is an example of potentially vulnerable code:

  2. 2

    Vulnerability in this case is dependent on memory layout. The call to strcpy() can be used to write past the end of buf1, and, with a typical layout, can overwrite the accounting information that the system keeps for buf2 when it is allocated. Note that if the allocation header for buf2 can be overwritten, buf2 itself can be overwritten as well.

  3. 3

    The allocation header will generally keep a linked list of memory "chunks". Particularly, there may be a "previous" chunk and a "next" chunk. Here, the previous chunk for buf2 will probably be buf1, and the next chunk may be null. When the free() occurs, most memory allocators will rewrite the linked list using data from buf2. Particularly, the "next" chunk for buf1 will be updated and the "previous" chunk for any subsequent chunk will be updated. The attacker can insert a memory address for the "next" chunk and a value to write into that memory address for the "previous" chunk.

  4. 4

    This could be used to overwrite a function pointer that gets dereferenced later, replacing it with a memory address that the attacker has legitimate access to, where they have placed malicious code, resulting in arbitrary code execution.

Verwundbares Codebeispiel

Vulnerable C

The classic example of a write-what-where condition occurs when the accounting information for memory allocations is overwritten in a particular fashion. Here is an example of potentially vulnerable code:

Verwundbar C 
#define BUFSIZE 256
  int main(int argc, char **argv) {
  	char *buf1 = (char *) malloc(BUFSIZE);
  	char *buf2 = (char *) malloc(BUFSIZE);
  	strcpy(buf1, argv[1]);
  	free(buf2);
  }
Sicheres Codebeispiel

Secure pseudo

Sicher pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-123

  • Architecture and Design Use a language that provides appropriate memory abstractions.
  • Operation Use OS-level preventative functionality integrated after the fact. Not a complete solution.
Erkennungssignale

How to detect CWE-123

SAST High

Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.

DAST Moderate

Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.

Runtime Moderate

Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.

Code review Moderate

Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.

Plexicus Auto-Fix

Plexicus erkennt CWE-123 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-123?

A write-what-where condition occurs when an attacker can control both the data written and the exact memory location where it's written, often due to a severe memory corruption flaw like a buffer overflow.

Wie gravierend ist CWE-123?

MITRE stuft die Exploit-Wahrscheinlichkeit als hoch ein — diese Schwachstelle wird aktiv in freier Wildbahn ausgenutzt und sollte priorisiert behoben werden.

Welche Sprachen oder Plattformen sind von CWE-123 betroffen?

MITRE lists the following affected platforms: C, C++.

Wie kann ich CWE-123 verhindern?

Use a language that provides appropriate memory abstractions. Use OS-level preventative functionality integrated after the fact. Not a complete solution.

Wie erkennt und behebt Plexicus CWE-123?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-123 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-123?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/123.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-123

CWE-787 Parent

Out-of-bounds Write

This vulnerability occurs when software incorrectly writes data outside the boundaries of its allocated memory buffer, either beyond the…

CWE-120 Sibling

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

This vulnerability occurs when a program copies data from one memory location to another without first verifying that the source data will…

CWE-121 Sibling

Stack-based Buffer Overflow

A stack-based buffer overflow occurs when a program writes more data to a buffer located on the call stack than it can hold, corrupting…

CWE-122 Sibling

Heap-based Buffer Overflow

A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting…

CWE-124 Sibling

Buffer Underwrite ('Buffer Underflow')

A buffer underwrite, also known as buffer underflow, happens when a program writes data to a memory location before the official start of…

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen