CWE-626 Detail

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected.

The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

Modes Of Introduction

Implementation

Applicable Platforms

Language

Name: PHP (Undetermined)
Name: Perl (Undetermined)
Name: ASP.NET (Undetermined)

Common Consequences

Observed Examples

Potential Mitigations

Phases : Implementation
Remove null bytes from all incoming strings.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

Current usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.
There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.

References

REF-514

Perl CGI problems
Rain Forest Puppy.
https://phrack.org/issues/55/7

REF-515

0x00 vs ASP file upload scripts
Brett Moore.
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf

REF-516

ShAnKaR: multiple PHP application poison NULL byte vulnerability
ShAnKaR.
https://seclists.org/fulldisclosure/2006/Sep/185

Submission

Modifications