返回 Skill 列表
extension
分类: 开发与工程无需 API Key

detecting-arbitrary-write

通过识别未经检查的数组索引和越界内存写入来检测任意写入漏洞。在分析内存写操作、指针运算或调查代码执行漏洞时使用。

person作者: jakexiaohubgithub

Arbitrary Write Detection

Detection Workflow

  1. Identify write operations: Find all array writes, pointer dereference writes, format string usage with %n, struct member writes
  2. Trace input sources: Use xrefs_to to trace input, follow user data to write points, identify attacker-controlled values
  3. Check bounds validation: Verify array bounds checks, assess pointer arithmetic safety, check format string validation, review type safety
  4. Assess exploitability: Can attacker control write address? Can attacker control write value? What can be overwritten? Can code execution be achieved?

Key Patterns

  • Unchecked array indexing: array writes with user-controlled indices, pointer arithmetic writes with user input
  • Format string writes: user-controlled format strings with %n, memory writes via printf
  • Pointer dereference writes: writing through user-controlled pointers, use-after-free writes, vtable corruption
  • Struct/class member writes: writing to wrong struct members, type confusion, vtable/function pointer overwrites

Output Format

Report with: id, type, subtype, severity, confidence, location, vulnerability, write operation, array base, index source, value source, bounds check, exploitable, attack scenario, potential targets, mitigation.

Severity Guidelines

  • CRITICAL: Arbitrary write enabling code execution
  • HIGH: Arbitrary write with significant impact
  • MEDIUM: Arbitrary write with limited impact
  • LOW: Minor arbitrary write issues

See Also

  • patterns.md - Detailed detection patterns and exploitation scenarios
  • examples.md - Example analysis cases and code samples
  • references.md - CWE references and mitigation strategies