CWE Glossary
- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Join our subscribers
NULL Pointer Dereference [CWE-476]
NULL Pointer Dereference weakness occurs where software dereferences a pointer with a value of NULL instead of a valid address.
![NULL Pointer Dereference [CWE-476]](/images/vulnerability/previews/null-pointer-dereference-cwe-476.jpg "NULL Pointer Dereference [CWE-476]")
Created: September 11, 2012
Latest Update: December 28, 2020
Table of Content
- Description
- Potential impact
- Affected software
- Severity and CVSS Scoring
- Mitigations
- References
- Latest Related Security Advisories
Want to have an in-depth understanding of all modern aspects of NULL Pointer Dereference [CWE-476]? Read carefully this article and bookmark it to get back later, we regularly update this page.
1. Description
NULL pointer dereference erros are common in C/C++ languages. Pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced. The NULL pointer dereference weakness occurs where application dereferences a pointer that is expected to be a valid address but instead is equal to NULL. The following C++ example causes a NULL pointer dereference error:
- // NULL Pointer Dereference [CWE-476] vulnerable code example
- // (c) HTB Research
- #include <stdio.h>
- int *ptr = NULL;
- int _tmain(int argc, _TINT* argv[])
- {
- *ptr = 17;
- return 0;
- }
Once executed, the application will throw an exception with code c0000005, as shown below:
![Crash of application: NULL Pointer Dereference [CWE-476] example](/images/vulnerability/appcrash-exception.png)
The following C++ code demonstrates NULL pointer dereference error within the getaddrinfo() function when argv[2] is empty:
- // NULL Pointer Dereference [CWE-476] vulnerable code example
- // (c) HTB Research
- #undef UNICODE
- #include "StdAfx.h"
- #include <winsock2.h>
- #include <ws2tcpip.h>
- #include <stdio.h>
- #pragma comment (lib, "Ws2_32.lib")
- int __cdecl main(int argc, char **argv)
- {
- WSADATA wsaData;
- int iResult;
- INT iRetval;
- DWORD dwRetval;
- int i = 1;
- struct addrinfo *result = NULL;
- struct addrinfo *ptr = NULL;
- struct addrinfo hints;
- if(argc<2){
- printf("usage: %s <proto> <hostname> <servicename>\n", argv[0]);
- return 1;
- }
- iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
- if (iResult != 0) {
- printf("WSAStartup failed: %d\n", iResult);
- return 1;
- }
- ZeroMemory( &hints, sizeof(hints) );
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_protocol = IPPROTO_TCP;
- dwRetval = getaddrinfo(argv[2], argv[3], &hints, &result);
- if ( dwRetval != 0 ) {
- printf("getaddrinfo failed with error: %d\n", dwRetval);
- WSACleanup();
- return 1;
- }
- printf("getaddrinfo returned success\n");
- return 0;
- }
The above code contains a logic error when checking against the number of input parameters in the if(argc<2) statement. As a result, NULL is passed as the first argument of the getaddrinfo() function instead of a valid address.
A number of flaws can cause NULL pointer dereference issues, including race condition, and programming omissions as demonstrated above.
2. Potential impact
In most cases, NULL pointer dereference errors result in the crash of application however, code execution is possible under certain circumstances. Depending on privileges of the application, this weakness can result in a denial of service attack against the entire system or can be used to gain complete control over it.
3. Affected software
Software written in C/C++, Assembly or any other language that makes usage of pointers is potentially vulnerable to this type of weakness.
4. Severity and CVSS Scoring
Since NULL pointer dereference errors mostly result in application crash, they are usually scored with availability impact only. A common CVSS score for locally exploitable vulnerability in client application would look like this:
2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) – Low severity.
If a high-privileged application, such as driver or critical system service contains a NULL pointer dereference error, it should be scored with complete availability impact, since crash of such application may render system inaccessible:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) – Medium severity.
In cases of remote code execution, it is usually scored with medium or high access complexity metric:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) - Critical severity.
We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.
5. Mitigations
NULL pointer dereference issues frequently result from rarely encountered error conditions and are most likely to escape detection during testing. The best way to avoid appearance of this weakness is to follow programming best practices:
- Perform sanity checks on all pointers that can be modified,
- Check the results of the return value of functions to verify that this value is not NULL before using it,
- Perform input validation on variables and data stores that may receive input from an external source,
- Explicitly initialize variables during declaration or before the first usage,
- Ensure that proper locking APIs are used to lock before the "if" statement and unlock after it when working with multi-threaded or otherwise asynchronous environment.
The following example demonstrates proper validation of pointer before freeing it:
- if (pointer1 != NULL) {
- free(pointer1);
- pointer1 = NULL;
- }
6. References
- CWE-476: NULL Pointer Dereference [cwe.mitre.org]
- Null-pointer dereference [owasp.org]
7. NULL Pointer Dereference Vulnerabilities, Exploits and Examples
- HTB23112: Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6
- HTB23130: Nero MediaHome Multiple Remote DoS Vulnerabilities
- HTB23129: FireFly Media Server Multiple Remote DoS Vulnerabilities
- HTB23106: Multiple Vulnerabilities in LibreOffice
- HTB23099: Multiple vulnerabilities in Samsung Kies
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.
↑ Back to Top
