Monthly Archives: May 2022

CWE

CWE-94 – Improper Control of Generation of Code (‘Code Injection’)

Read Time:3 Minute, 15 Second

Description

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-74
CWE-74
CWE-913
CWE-691

 

Consequences

Access Control: Bypass Protection Mechanism

In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Access Control: Gain Privileges or Assume Identity

Injected code can access resources that the attacker is directly prevented from accessing.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.

Non-Repudiation: Hide Activities

Often the actions performed by injected control code are unlogged.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Refactor your program so that you do not have to dynamically generate code.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

Phase: Testing

Effectiveness:

Description: 

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Phase: Testing

Effectiveness:

Description: 

Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software’s operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Phase: Operation

Effectiveness:

Description: 

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl’s “-T” switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Phase: Operation

Effectiveness:

Description: 

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl’s “-T” switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

CVE References

 

  • CVE-2008-5305
    • Eval injection in Perl program using an ID that should only contain hyphens and numbers.
  • CVE-2005-1921
    • MFV. code injection into PHP eval statement using nested constructs that should not be nested.
  • CVE-2005-2498
    • MFV. code injection into PHP eval statement using nested constructs that should not be nested.
  • CVE-2005-3302
    • Code injection into Python eval statement from a field in a formatted file.
  • CVE-2001-1471
    • chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.
  • CVE-2002-0495
    • Perl code directly injected into CGI library file from parameters to another CGI program.
  • CVE-2005-1876
    • Direct PHP code injection into supporting template file.
  • CVE-2005-1894
    • Direct code injection into PHP script that can be accessed by attacker.
  • CVE-2003-0395
    • PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.
CWE

CWE-939 – Improper Authorization in Handler for Custom URL Scheme

Read Time:47 Second

Description

The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer’s discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-862

 

Consequences

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2013-5725
    • URL scheme has action replace which requires no user prompt and allows remote attackers to perform undesired actions.
  • CVE-2013-5726
    • URL scheme has action follow and favorite which allows remote attackers to force user to perform undesired actions.
CWE

CWE-93 – Improper Neutralization of CRLF Sequences (‘CRLF Injection’)

Read Time:51 Second

Description

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-74
CWE-117

 

Consequences

Integrity: Modify Application Data

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Avoid using CRLF as a special sequence.

Phase: Implementation

Effectiveness:

Description: 

Appropriately filter or quote CRLF sequences in user-controlled input.

CVE References

 

  • CVE-2002-1771
    • CRLF injection enables spam proxy (add mail headers) using email address or name.
  • CVE-2002-1783
    • CRLF injection in API function arguments modify headers for outgoing requests.
  • CVE-2004-1513
    • Spoofed entries in web server log file via carriage returns
  • CVE-2006-4624
    • Chain: inject fake log entries with fake timestamps using CRLF injection
  • CVE-2005-1951
    • Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
  • CVE-2004-1687
    • Chain: HTTP response splitting via CRLF in parameter related to URL.
CWE

CWE-927 – Use of Implicit Intent for Sensitive Communication

Read Time:33 Second

Description

The Android application uses an implicit intent for transmitting sensitive data to other applications.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-285
CWE-668

 

Consequences

Confidentiality: Read Application Data

Other applications, possibly untrusted, can read the data that is offered through the Intent.

Integrity: Varies by Context

The application may handle responses from untrusted applications on the device, which could cause it to perform unexpected or unauthorized actions.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used.

CVE References

 

CWE

CWE-926 – Improper Export of Android Application Components

Read Time:1 Minute, 7 Second

Description

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-285

 

Consequences

Availability, Integrity: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context

Other applications, possibly untrusted, can launch the Activity.

Availability, Integrity: Unexpected State, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context

Other applications, possibly untrusted, can bind to the Service.

Confidentiality, Integrity: Read Application Data, Modify Application Data

Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.

 

Potential Mitigations

Phase: Build and Compilation

Effectiveness:

Description: 

If they do not need to be shared by other applications, explicitly mark components with android_exported=”false” in the application manifest.

Phase: Build and Compilation

Effectiveness:

Description: 

If you only intend to use exported components between related apps under your control, use android_protectionLevel=”signature” in the xml manifest to restrict access to applications signed by you.

Phase: Build and Compilation, Architecture and Design

Effectiveness:

Description: 

Limit Content Provider permissions (read/write) as appropriate.

Phase: Build and Compilation, Architecture and Design

Effectiveness:

Description: 

Limit Content Provider permissions (read/write) as appropriate.

CVE References

 

CWE

CWE-925 – Improper Verification of Intent by Broadcast Receiver

Read Time:54 Second

Description

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.

Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-923

 

Consequences

Integrity: Gain Privileges or Assume Identity

Another application can impersonate the operating system and cause the software to perform an unintended action.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Before acting on the Intent, check the Intent Action to make sure it matches the expected System action.

CVE References

 

CWE

CWE-924 – Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Read Time:34 Second

Description

The software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.

Attackers might be able to modify the message and spoof the endpoint by interfering with the data as it crosses the network or by redirecting the connection to a system under their control.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-345
CWE-345

 

Consequences

Integrity, Confidentiality: Gain Privileges or Assume Identity

If an attackers can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint.

 

Potential Mitigations

CVE References

 

CWE

CWE-923 – Improper Restriction of Communication Channel to Intended Endpoints

Read Time:24 Second

Description

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-284

 

Consequences

Integrity, Confidentiality: Gain Privileges or Assume Identity

If an attacker can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint.

 

Potential Mitigations

CVE References

 

CWE

CWE-922 – Insecure Storage of Sensitive Information

Read Time:34 Second

Description

The software stores sensitive information without properly limiting read or write access by unauthorized actors.

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality: Read Application Data, Read Files or Directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

Integrity: Modify Application Data, Modify Files or Directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

 

Potential Mitigations

CVE References

 

CWE

CWE-921 – Storage of Sensitive Data in a Mechanism without Access Control

Read Time:24 Second

Description

The software stores sensitive information in a file system or device that does not have built-in access control.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-922

 

Consequences

Confidentiality: Read Application Data, Read Files or Directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

Integrity: Modify Application Data, Modify Files or Directories

Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.

 

Potential Mitigations

CVE References