Authorization / List of Calls to Dangerous Low-Level C Functions
Description
List of calls to dangerous low-level C functions is a vulnerability related to authorization in iOS and Mobile App. It is defined in the Common Weakness Enumeration (CWE) directory as CWE-415: Double Free, which is a type of memory access error where a program attempts to free the same memory twice, leading to program crashes or memory corruption. The OWASP Testing Guide recommends checks to verify that a system does not contain any double-free bugs, as these can lead to security risks and system instability.
Risk
The risk associated with this vulnerability is high, as it can lead to memory corruption, program crashes, and allow an attacker to gain access to sensitive information. Depending on the context, it can lead to a remote code execution attack, or denial of service. This vulnerability can lead to unauthorized access to sensitive data, or a complete system compromise.
Solution
The best way to address this vulnerability is to review the code and check for any calls to dangerous low-level C functions. If any are found, these should be removed or replaced with safe functions. In addition, memory management should be reviewed and any double-free functions should be identified and removed or replaced.
Example
For example, consider the following C code which contains a list of calls to dangerous low-level C functions:
int main(int argc, char *argv[]) {
char *ptr;
ptr = malloc(10);
free(ptr);
free(ptr); // double free
return 0;
}
The example shows that a double free is present, which could lead to various security vulnerabilities.