Monthly Archives: May 2022

CWE

CWE-628 – Function Call with Incorrectly Specified Arguments

Read Time:46 Second

Description

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-573

 

Consequences

Other, Access Control: Quality Degradation, Gain Privileges or Assume Identity

This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.

 

Potential Mitigations

Phase: Build and Compilation

Description: 

Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.

Phase: Architecture and Design

Description: 

Make sure your API’s are stable before you use them in production code.

CVE References

  • CVE-2006-7049
    • The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.
CWE

CWE-627 – Dynamic Variable Evaluation

Read Time:1 Minute, 22 Second

Description

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.

Many interpreted languages support the use of a “$$varname” construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as “variable variables.” Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-914
CWE-183

 

Consequences

Confidentiality, Integrity, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could gain unauthorized access to internal program variables and execute arbitrary code.

 

Potential Mitigations

Phase: Implementation

Description: 

Refactor the code to avoid dynamic variable evaluation whenever possible.

Phase: Implementation

Description: 

Use only allowlists of acceptable variable or function names.

Phase: Implementation

Description: 

For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.

CVE References

  • CVE-2009-0422
    • Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
  • CVE-2007-2431
    • Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
  • CVE-2006-4904
    • Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
  • CVE-2006-4019
    • Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.
CWE

CWE-626 – Null Byte Interaction Error (Poison Null Byte)

Read Time:23 Second

Description

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-147
CWE-436

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Implementation

Description: 

Remove null bytes from all incoming strings.

CVE References

  • CVE-2005-3153
    • inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection
CWE

CWE-625 – Permissive Regular Expression

Read Time:57 Second

Description

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-185
CWE-187
CWE-184
CWE-183

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Implementation

Description: 

When applicable, ensure that the regular expression marks beginning and ending string patterns, such as “/^string$/” for Perl.

CVE References

  • CVE-2002-2175
    • insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
  • CVE-2006-4527
    • regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
  • CVE-2005-1949
    • Regexp for IP address isn’t anchored at the end, allowing appending of shell metacharacters.
  • CVE-2002-2109
    • Regexp isn’t “anchored” to the beginning or end, which allows spoofed values that have trusted values as substrings.
  • CVE-2006-6511
    • regexp in .htaccess file allows access of files whose names contain certain substrings
  • CVE-2006-6629
    • allow load of macro files whose names contain certain substrings.
CWE

CWE-624 – Executable Regular Expression Error

Read Time:1 Minute, 0 Second

Description

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-77
CWE-77
CWE-77

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Description: 

The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as Q and E in Perl.

CVE References

  • CVE-2006-2059
    • Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
  • CVE-2005-3420
    • Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
  • CVE-2006-2878
    • Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the “/e” modifier
  • CVE-2006-2908
    • Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.
CWE

CWE-623 – Unsafe ActiveX Control Marked Safe For Scripting

Read Time:45 Second

Description

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control’s behavior.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-267
CWE-691
CWE-618

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

During development, do not mark it as safe for scripting.

Phase: System Configuration

Description: 

After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

CVE References

  • CVE-2007-0617
    • control allows attackers to add malicious email addresses to bypass spam limits
CWE

CWE-622 – Improper Validation of Function Hook Arguments

Read Time:53 Second

Description

The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.

Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to bypass the protection scheme or attack the product itself.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-20

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Ensure that all arguments are verified, as defined by the API you are protecting.

Phase: Architecture and Design

Description: 

Drop privileges before invoking such functions, if possible.

CVE References

  • CVE-2007-0708
    • DoS in firewall using standard Microsoft functions
  • CVE-2006-7160
    • DoS in firewall using standard Microsoft functions
  • CVE-2007-1376
    • function does not verify that its argument is the proper type, leading to arbitrary memory write
  • CVE-2007-1220
    • invalid syscall arguments bypass code execution limits
CWE

CWE-621 – Variable Extraction Error

Read Time:57 Second

Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-914
CWE-471

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

 

Potential Mitigations

Phase: Implementation

Description: 

Use allowlists of variable names that can be extracted.

Phase: Implementation

Description: 

Consider refactoring your code to avoid extraction routines altogether.

Phase: Implementation

Description: 

In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

CVE References

  • CVE-2006-7079
    • extract used for register_globals compatibility layer, enables path traversal
  • CVE-2007-0649
    • extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  • CVE-2006-2828
    • import_request_variables() buried in include files makes post-disclosure analysis confusing
CWE

CWE-620 – Unverified Password Change

Read Time:1 Minute, 0 Second

Description

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

When prompting for a password change, force the user to provide the original password in addition to the new password.

Phase: Architecture and Design

Description: 

Do not use “forgotten password” functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

CVE References

  • CVE-2007-0681
    • Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
  • CVE-2000-0944
    • Web application password change utility doesn’t check the original password.
CWE

CWE-62 – UNIX Hard Link

Read Time:1 Minute, 39 Second

Description

The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-59

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2001-1494
    • Hard link attack, file overwrite; interesting because program checks against soft links
  • CVE-2002-0793
    • Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.
  • CVE-2003-0578
    • Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
  • CVE-1999-0783
    • Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.
  • CVE-2004-1603
    • Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.
  • CVE-2004-1901
    • Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
  • CVE-2005-0342
    • The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file.