CWE-590 – Free of Memory not on the Heap

Read Time:1 Minute, 18 Second

Description

The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().

When free() is called on an invalid pointer, the program’s memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an attacker may be able to cause free() to operate on controllable memory locations to modify critical program variables or execute code.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-762
CWE-123

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

There is the potential for arbitrary code execution with privileges of the vulnerable program via a “write, what where” primitive. If pointers to memory which hold user information are freed, a malicious user will be able to write 4 bytes anywhere in memory.

 

Potential Mitigations

Phase: Implementation

Description: 

Only free pointers that you have called malloc on previously. This is the recommended solution. Keep track of which pointers point at the beginning of valid chunks and free them only once.

Phase: Implementation

Description: 

Before freeing a pointer, the programmer should make sure that the pointer was previously allocated on the heap and that the memory belongs to the programmer. Freeing an unallocated pointer will cause undefined behavior in the program.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Use a language that provides abstractions for memory allocation and deallocation.

Phase: Testing

Description: 

Use a tool that dynamically detects memory management problems, such as valgrind.

CVE References

CWE-59 – Improper Link Resolution Before File Access (‘Link Following’)

Read Time:3 Minute, 28 Second

Description

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Soft links are a UNIX term that is synonymous with simple shortcuts on windows based platforms.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-706
CWE-706

 

Consequences

Confidentiality, Integrity, Access Control: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism

An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.

Other: Execute Unauthorized Code or Commands

Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a “.LNK” file can be uploaded like a normal file. This can enable remote execution.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-1999-1386
    • Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
  • CVE-2000-1178
    • Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
  • CVE-2004-0217
    • Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
  • CVE-2003-0517
    • Symlink attack allows local users to overwrite files.
  • CVE-2004-0689
    • Window manager does not properly handle when certain symbolic links point to “stale” locations, which could allow local users to create or truncate arbitrary files.
  • CVE-2000-0972
    • Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
  • CVE-2001-1494
    • Hard link attack, file overwrite; interesting because program checks against soft links
  • CVE-2002-0793
    • Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.
  • CVE-2003-0578
    • Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
  • CVE-1999-0783
    • Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.
  • CVE-2004-1603
    • Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.
  • CVE-2004-1901
    • Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
  • CVE-2000-0342
    • Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka “Stealth Attachment.”
  • CVE-2001-1042
    • FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
  • CVE-2001-1043
    • FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
  • CVE-2005-0587
    • Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
  • CVE-2003-1233
    • Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link
  • CVE-2002-0725
    • File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.
  • CVE-2003-0844
    • Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.

CWE-589 – Call to Non-ubiquitous API

Read Time:44 Second

Description

The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.

Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-474

 

Consequences

Other: Quality Degradation

 

Potential Mitigations

Phase: Implementation

Description: 

Always test your code on any platform on which it is targeted to run on.

Phase: Testing

Description: 

Test your code on the newest and oldest platform on which it is targeted to run on.

Phase: Testing

Description: 

Develop a system to test for API functions that are not portable.

CVE References

CWE-588 – Attempt to Access Child of a Non-structure Pointer

Read Time:33 Second

Description

Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-704
CWE-758

 

Consequences

Integrity: Modify Memory

Adjacent variables in memory may be corrupted by assignments performed on fields after the cast.

Availability: DoS: Crash, Exit, or Restart

Execution may end due to a memory access error.

 

Potential Mitigations

Phase: Requirements

Description: 

The choice could be made to use a language that is not susceptible to these issues.

Phase: Implementation

Description: 

Review of type casting operations can identify locations where incompatible types are cast.

CVE References

CWE-587 – Assignment of a Fixed Address to a Pointer

Read Time:44 Second

Description

The software sets a pointer to a specific address other than NULL or 0.

Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-344
CWE-758

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If one executes code at a known location, an attacker might be able to inject code there beforehand.

Availability: DoS: Crash, Exit, or Restart, Reduce Maintainability, Reduce Reliability

If the code is ported to another platform or environment, the pointer is likely to be invalid and cause a crash.

Confidentiality, Integrity: Read Memory, Modify Memory

The data at a known pointer location can be easily read or influenced by an attacker.

 

Potential Mitigations

Phase: Implementation

Description: 

Never set a pointer to a fixed address.

CVE References

CWE-586 – Explicit Call to Finalize()

Read Time:36 Second

Description

The software makes an explicit call to the finalize() method from outside the finalizer.

While the Java Language Specification allows an object’s finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1076

 

Consequences

Integrity, Other: Unexpected State, Quality Degradation

 

Potential Mitigations

Phase: Implementation, Testing

Description: 

Do not make explicit calls to finalize(). Use static analysis tools to spot such instances.

CVE References

CWE-585 – Empty Synchronized Block

Read Time:50 Second

Description

The software contains an empty synchronized block.

An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1071

 

Consequences

Other: Other

An empty synchronized block will wait until nobody else is using the synchronizer being specified. While this may be part of the desired behavior, because you haven’t protected the subsequent code by placing it inside the synchronized block, nothing is stopping somebody else from modifying whatever it was you were waiting for while you run the subsequent code.

 

Potential Mitigations

Phase: Implementation

Description: 

When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary.

CVE References

CWE-584 – Return Inside Finally Block

Read Time:19 Second

Description

The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-705

 

Consequences

Other: Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Description: 

Do not use a return statement inside the finally block. The finally block should have “cleanup” code.

CVE References

CWE-583 – finalize() Method Declared Public

Read Time:37 Second

Description

The program violates secure coding principles for mobile code by declaring a finalize() method public.

A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality, Integrity, Availability: Alter Execution Logic, Execute Unauthorized Code or Commands, Modify Application Data

 

Potential Mitigations

Phase: Implementation

Description: 

If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.

CVE References

CWE-582 – Array Declared Public, Final, and Static

Read Time:1 Minute, 11 Second

Description

The program declares an array public, final, and static, which is not sufficient to prevent the array’s contents from being modified.

Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.

Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects’ state and behavior by adversaries who have access to the same virtual machine where your program is running.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668

 

Consequences

Integrity: Modify Application Data

 

Potential Mitigations

Phase: Implementation

Description: 

In most situations the array should be made private.

CVE References