CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Read Time:1 Minute, 57 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. “eval”).

This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Medium

Related Weaknesses

CWE-94

Consequences

Confidentiality: Read Files or Directories, Read Application Data

The injected code could access restricted data / files.

Access Control: Bypass Protection Mechanism

In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Access Control: Gain Privileges or Assume Identity

Injected code can access resources that the attacker is directly prevented from accessing.

Integrity, Confidentiality, Availability, Other: Execute Unauthorized Code or Commands

Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.

Non-Repudiation: Hide Activities

Often the actions performed by injected control code are unlogged.

Potential Mitigations

Phase: Architecture and Design, Implementation

Effectiveness:

Description:

If possible, refactor your code so that it does not need to use eval() at all.

Phase: Implementation

Effectiveness:

Description:

Phase: Implementation

Effectiveness:

Description:

CVE References

CVE-2008-5071
- Eval injection in PHP program.

CVE-2002-1750
- Eval injection in Perl program.

CVE-2008-5305
- Eval injection in Perl program using an ID that should only contain hyphens and numbers.

CVE-2002-1752
- Direct code injection into Perl eval function.

CVE-2002-1753
- Eval injection in Perl program.

CVE-2005-1527
- Direct code injection into Perl eval function.

CVE-2005-2837
- Direct code injection into Perl eval function.

CVE-2005-1921
- MFV. code injection into PHP eval statement using nested constructs that should not be nested.

CVE-2005-2498
- MFV. code injection into PHP eval statement using nested constructs that should not be nested.

CVE-2005-3302
- Code injection into Python eval statement from a field in a formatted file.

CVE-2007-1253
- Eval injection in Python program.

CVE-2001-1471
- chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.

CVE-2007-2713
- Chain: Execution after redirect triggers eval injection.

InCVE-2008-5071, CWE- 95, Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Cryptomining Malware Found in Popular Open Source Packages

Interpol Identifies Over 140 Human Traffickers in New Initiative

ICO Warns of Mobile Phone Festive Privacy Snafu

Friday Squid Blogging: Squid Sticker

Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe

Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers

LockBit Admins Tease a New Ransomware Version

Webcams and DVRs Vulnerable to HiatusRAT, FBI Warns

CISA Urges Encrypted Messaging After Salt Typhoon Hack

CWE-95 – Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security