Authorization / List of Calls to Dangerous Low-Level C Functions

Description

List of calls to dangerous low-level C functions is a vulnerability related to authorization in iOS and Mobile App. It is defined in the Common Weakness Enumeration (CWE) directory as CWE-415: Double Free, which is a type of memory access error where a program attempts to free the same memory twice, leading to program crashes or memory corruption. The OWASP Testing Guide recommends checks to verify that a system does not contain any double-free bugs, as these can lead to security risks and system instability.

Risk

The risk associated with this vulnerability is high, as it can lead to memory corruption, program crashes, and allow an attacker to gain access to sensitive information. Depending on the context, it can lead to a remote code execution attack, or denial of service. This vulnerability can lead to unauthorized access to sensitive data, or a complete system compromise.

Solution

The best way to address this vulnerability is to review the code and check for any calls to dangerous low-level C functions. If any are found, these should be removed or replaced with safe functions. In addition, memory management should be reviewed and any double-free functions should be identified and removed or replaced.

Example

For example, consider the following C code which contains a list of calls to dangerous low-level C functions:

int main(int argc, char *argv[]) {
    char *ptr;
    ptr = malloc(10);
    free(ptr);
    free(ptr);  // double free
    return 0;
}

The example shows that a double free is present, which could lead to various security vulnerabilities.