Early Access — Mondoo Vulnerability Intelligence is currently in preview.
The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
If the untrusted pointer references a memory location that is not accessible to the product, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
CVE-2007-5655message-passing framework interprets values in packets as pointers, causing a crash.
CVE-2010-2299labeled as a "type confusion" issue, also referred to as a "stale pointer." However, the bug ID says "contents are simply interpreted as a pointer... renderer ordinarily doesn't supply this pointer directly". The "handle" in the untrusted area is replaced in one function, but not another - thus also, effectively, exposure to wrong sphere (CWE-668).
CVE-2009-1719Untrusted dereference using undocumented constructor.
CVE-2009-1250An error code is incorrectly checked and interpreted as a pointer, leading to a crash.
CVE-2009-0311An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.