CWE-42 – Path Equivalence: ‘filename.’ (Trailing Dot)

Read Time:40 Second

Description

A software system that accepts path input in the form of trailing dot (‘filedir.’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41
CWE-162

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2004-0061
    • Bypass directory access restrictions using trailing dot in URL
  • CVE-2000-1133
    • Bypass directory access restrictions using trailing dot in URL
  • CVE-2001-1386
    • Bypass check for “.lnk” extension using “.lnk.”

CWE-419 – Unprotected Primary Channel

Read Time:23 Second

Description

The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-923

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Do not expose administrative functionnality on the user UI.

Phase: Architecture and Design

Description: 

Protect the administrative/restricted functionality with a strong authentication mechanism.

CVE References

CWE-416 – Use After Free

Read Time:2 Minute, 40 Second

Description

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-825
CWE-672
CWE-672
CWE-672
CWE-120
CWE-123

 

Consequences

Integrity: Modify Memory

The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.

Availability: DoS: Crash, Exit, or Restart

If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Choose a language that provides automatic memory management.

Phase: Implementation

Description: 

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

CVE References

  • CVE-2010-4168
    • Use-after-free triggered by closing a connection while data is still being transmitted.
  • CVE-2010-2941
    • Improper allocation for invalid data leads to use-after-free.
  • CVE-2010-2547
    • certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free
  • CVE-2010-1772
    • Timers are not disabled when a related object is deleted
  • CVE-2010-1437
    • Access to a “dead” object that is being cleaned up
  • CVE-2010-1208
    • object is deleted even with a non-zero reference count, and later accessed
  • CVE-2010-0629
    • use-after-free involving request containing an invalid version number
  • CVE-2010-0378
    • unload of an object that is currently being accessed by other functionality
  • CVE-2010-0302
    • incorrectly tracking a reference count leads to use-after-free
  • CVE-2010-0249
    • use-after-free related to use of uninitialized memory
  • CVE-2009-3658
    • Use after free in ActiveX object by providing a malformed argument to a method
  • CVE-2009-3616
    • use-after-free by disconnecting during data transfer, or a message containing incorrect data types
  • CVE-2009-3553
    • disconnect during a large data transfer causes incorrect reference count, leading to use-after-free
  • CVE-2009-1837
    • Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)
  • CVE-2009-0749
    • realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free
  • CVE-2010-3328
    • Use-after-free in web browser, probably resultant from not initializing memory.
  • CVE-2008-5038
    • use-after-free when one thread accessed memory that was freed by another thread
  • CVE-2008-0077
    • assignment of malformed values to certain properties triggers use after free
  • CVE-2006-4434
    • mail server does not properly handle a long header.

CWE-415 – Double Free

Read Time:1 Minute, 41 Second

Description

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-825
CWE-1341
CWE-672
CWE-672
CWE-672
CWE-666
CWE-416
CWE-123

 

Consequences

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands

Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Choose a language that provides automatic memory management.

Phase: Implementation

Description: 

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Phase: Implementation

Description: 

Use a static analysis tool to find double free instances.

CVE References

  • CVE-2006-5051
    • Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
  • CVE-2004-0642
    • Double free resultant from certain error conditions.
  • CVE-2004-0772
    • Double free resultant from certain error conditions.
  • CVE-2005-1689
    • Double free resultant from certain error conditions.

CWE-414 – Missing Lock Check

Read Time:24 Second

Description

A product does not check to see if a lock is present before performing sensitive operations on a resource.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-667

 

Consequences

Integrity, Availability: Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Implement a reliable lock mechanism.

CVE References

  • CVE-2004-1056
    • Product does not properly check if a lock is present, allowing other attackers to access functionality.

CWE-413 – Improper Resource Locking

Read Time:35 Second

Description

The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource.

When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software’s assumption that the resource will not change, potentially leading to unexpected behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-667

 

Consequences

Integrity, Availability: Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use a non-conflicting privilege scheme.

Phase: Architecture and Design, Implementation

Description: 

Use synchronization when locking a resource.

CVE References

CWE-412 – Unrestricted Externally Accessible Lock

Read Time:1 Minute, 50 Second

Description

The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.

This prevents the software from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-667
CWE-410

 

Consequences

Availability: DoS: Resource Consumption (Other)

When an attacker can control a lock, the program may wait indefinitely until the attacker releases the lock, causing a denial of service to other users of the program. This is especially problematic if there is a blocking operation on the lock.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Use any access control that is offered by the functionality that is offering the lock.

Phase: Architecture and Design, Implementation

Description: 

Use unpredictable names or identifiers for the locks. This might not always be possible or feasible.

Phase: Architecture and Design

Description: 

Consider modifying your code to use non-blocking synchronization methods.

CVE References

  • CVE-2001-0682
    • Program can not execute when attacker obtains a mutex.
  • CVE-2002-1914
    • Program can not execute when attacker obtains a lock on a critical output file.
  • CVE-2002-1915
    • Program can not execute when attacker obtains a lock on a critical output file.
  • CVE-2002-0051
    • Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.
  • CVE-2000-0338
    • Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.
  • CVE-2000-1198
    • Chain: Lock files with predictable names. Resultant from randomness.
  • CVE-2002-1869
    • Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.

CWE-410 – Insufficient Resource Pool

Read Time:1 Minute, 11 Second

Description

The software’s resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

Frequently the consequence is a “flood” of connection or sessions.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664
CWE-400

 

Consequences

Availability, Integrity, Other: DoS: Crash, Exit, or Restart, Other

Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.

Phase: Architecture and Design

Description: 

Consider implementing a velocity check mechanism which would detect abusive behavior.

Phase: Operation

Description: 

Consider load balancing as an option to handle heavy loads.

Phase: Implementation

Description: 

Make sure that resource handles are properly closed when no longer needed.

Phase: Architecture and Design

Description: 

Identify the system’s resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).

CVE References

  • CVE-1999-1363
    • Large number of locks on file exhausts the pool and causes crash.
  • CVE-2001-1340
    • Product supports only one connection and does not disconnect a user who does not provide credentials.
  • CVE-2002-0406
    • Large number of connections without providing credentials allows connection exhaustion.

CWE-41 – Improper Resolution of Path Equivalence

Read Time:5 Minute, 47 Second

Description

The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.

Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-706

 

Consequences

Confidentiality, Integrity, Access Control: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism

An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism than an attacker may be able to bypass the mechanism.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2004-2213
    • Source code disclosure using trailing dot or trailing encoding space “%20”
  • CVE-2004-0061
    • Bypass directory access restrictions using trailing dot in URL
  • CVE-2000-1133
    • Bypass directory access restrictions using trailing dot in URL
  • CVE-2001-1386
    • Bypass check for “.lnk” extension using “.lnk.”
  • CVE-2001-0693
    • Source disclosure via trailing encoded space “%20”
  • CVE-2001-0778
    • Source disclosure via trailing encoded space “%20”
  • CVE-2001-1248
    • Source disclosure via trailing encoded space “%20”
  • CVE-2004-0280
    • Source disclosure via trailing encoded space “%20”
  • CVE-2005-0622
    • Source disclosure via trailing encoded space “%20”
  • CVE-2005-1656
    • Source disclosure via trailing encoded space “%20”
  • CVE-2002-1603
    • Source disclosure via trailing encoded space “%20”
  • CVE-2001-0054
    • Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as “%20”; certain manipulations have unusual side effects.
  • CVE-2002-1451
    • Trailing space (“+” in query string) leads to source code disclosure.
  • CVE-2000-0293
    • Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal.
  • CVE-2001-1567
    • “+” characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file.
  • CVE-2001-0446
    • Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
  • CVE-2004-0334
    • Bypass Basic Authentication for files using trailing “/”
  • CVE-2001-0892
    • Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
  • CVE-2004-1814
    • Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.
  • CVE-2002-1483
    • Read files with full pathname using multiple internal slash.
  • CVE-1999-1456
    • Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename.
  • CVE-2004-0578
    • Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request.
  • CVE-2002-0275
    • Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL.
  • CVE-2004-1032
    • Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters.
  • CVE-2002-1238
    • Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/.
  • CVE-2004-1878
    • Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash).
  • CVE-2005-1365
    • Server allows remote attackers to execute arbitrary commands via a URL with multiple leading “/” (slash) characters and “..” sequences.
  • CVE-2001-1072
    • Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
  • CVE-2004-0235
    • Archive extracts to arbitrary files using multiple leading slash in filenames in the archive.
  • CVE-2002-1078
    • Directory listings in web server using multiple trailing slash
  • CVE-2004-0847
    • ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) “” (backslash) or (2) “%5C” (encoded backslash), aka “Path Validation Vulnerability.”
  • CVE-2000-0004
    • Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL.
  • CVE-2002-0304
    • Server allows remote attackers to read password-protected files via a /./ in the HTTP request.
  • CVE-2004-0815
    • “/./////etc” cleansed to “.///etc” then “/etc”
  • CVE-2002-0112
    • Server allows remote attackers to view password protected files via /./ in the URL.
  • CVE-2001-1152
    • Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.
  • CVE-2000-0191
    • application check access for restricted URL before canonicalization
  • CVE-2005-1366
    • CGI source disclosure using “dirname/../cgi-bin”
  • CVE-1999-0012
    • Multiple web servers allow restriction bypass using 8.3 names instead of long names
  • CVE-2005-0471
    • Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format.

CWE-409 – Improper Handling of Highly Compressed Data (Data Amplification)

Read Time:36 Second

Description

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

An example of data amplification is a “decompression bomb,” a small ZIP file that can produce a large amount of data when it is decompressed.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-405

 

Consequences

Availability: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.

 

Potential Mitigations

CVE References