CAPEC-10: Buffer Overflow via Environment Variables

Buffer Overflow via Environment Variables


Typical_Severify: High



This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.


ChildOf: CAPEC-100 |Overflow Buffers

ParentOf: CAPEC-13 | Subverting Environment Variable Values

ParentOf: CAPEC-46 | Overflow Variables and Tags

ParentOf: CAPEC-69 | Target Programs with Elevated Privileges

Execution Flow Attack Setp

Setp 1 Explore

The attacker tries to find an environment variable which can be overwritten for instance by gathering information about the target host (error pages, software's version number, etc.).

Setp 2 Experiment

The attacker manipulates the environment variable to contain excessive-length content to cause a buffer overflow.

Setp 3 Exploit

The attacker potentially leverages the buffer overflow to inject maliciously crafted code in an attempt to execute privileged command on the target environment.


The application uses environment variables.

An environment variable exposed to the user is vulnerable to a buffer overflow.

The vulnerable environment variable uses untrusted data.

Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.


Level Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Level High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.



Scope Impact Likelihood
A v a i l a b i l i t y Unreliable Execution
Confidentiality Integrity Availability Execute Unauthorized Commands
C o n f i d e n t i a l i t y Read Data
I n t e g r i t y Modify Data
Confidentiality Access Control Authorization Gain Privileges


Do not expose environment variable to the user.

Do not use untrusted data in your environment variables.

Use a language or compiler that performs automatic bounds checking

There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.


Attack Example: Buffer Overflow in $HOME

A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable.

See also: CVE-1999-0906

Attack Example: Buffer Overflow in TERM

A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.

See also: CVE-1999-0046


120 | 未进行输入大小检查的缓冲区拷贝(传统缓冲区溢出)

302 | 使用假设不可变数据进行的认证绕过

118 | 对可索引资源的访问不恰当(越界错误)

119 | 内存缓冲区边界内操作的限制不恰当

74 | 输出中的特殊元素转义处理不恰当(注入)

99 | 对资源描述符的控制不恰当(资源注入)

20 | 输入验证不恰当

680 | 整数溢出导致缓冲区溢出

733 | 编译器优化对安全关键代码的移除或修改

697 | 不充分的比较



2014-06-23 | CAPEC Content Team | The MITRE Corporation


2017-01-09 | CAPEC Content Team | The MITRE Corporation

Updated Related_Attack_Patterns

2018-07-31 | CAPEC Content Team | The MITRE Corporation

Updated References