All posts by rocco

CWE-450 – Multiple Interpretations of UI Input

Read Time:30 Second

Description

The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-357

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-451 – User Interface (UI) Misrepresentation of Critical Information

Read Time:3 Minute, 26 Second

Description

The user interface (UI) does not properly represent critical information to the user, allowing the information – or its source – to be obscured or spoofed. This is often a component in phishing attacks.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684
CWE-221
CWE-346

 

Consequences

Non-Repudiation, Access Control: Hide Activities, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Implementation

Description: 

Perform data validation (e.g. syntax, length, etc.) before interpreting the data.

Phase: Architecture and Design

Description: 

Create a strategy for presenting information, and plan for how to display unusual characters.

CVE References

  • CVE-2004-2227
    • Web browser’s filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions.
  • CVE-2001-0398
    • Attachment with many spaces in filename bypasses “dangerous content” warning and uses different icon. Likely resultant.
  • CVE-2004-1104
    • Incorrect indicator: web browser can be tricked into presenting the wrong URL
  • CVE-2005-0143
    • Incorrect indicator: Lock icon displayed when an insecure page loads a binary file loaded from a trusted site.
  • CVE-2005-0144
    • Incorrect indicator: Secure “lock” icon is presented for one channel, while an insecure page is being simultaneously loaded in another channel.
  • CVE-2004-0761
    • Incorrect indicator: Certain redirect sequences cause security lock icon to appear in web browser, even when page is not encrypted.
  • CVE-2004-2219
    • Incorrect indicator: Spoofing via multi-step attack that causes incorrect information to be displayed in browser address bar.
  • CVE-2004-0537
    • Overlay: Wide “favorites” icon can overlay and obscure address bar
  • CVE-2005-2271
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2005-2272
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2005-2273
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2005-2274
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2001-1410
    • Visual distinction: Browser allows attackers to create chromeless windows and spoof victim’s display using unprotected Javascript method.
  • CVE-2002-0197
    • Visual distinction: Chat client allows remote attackers to spoof encrypted, trusted messages with lines that begin with a special sequence, which makes the message appear legitimate.
  • CVE-2005-0831
    • Visual distinction: Product allows spoofing names of other users by registering with a username containing hex-encoded characters.
  • CVE-2003-1025
    • Visual truncation: Special character in URL causes web browser to truncate the user portion of the “user@domain” URL, hiding real domain in the address bar.
  • CVE-2005-0243
    • Visual truncation: Chat client does not display long filenames in file dialog boxes, allowing dangerous extensions via manipulations including (1) many spaces and (2) multiple file extensions.
  • CVE-2005-1575
    • Visual truncation: Web browser file download type can be hidden using whitespace.
  • CVE-2004-2530
    • Visual truncation: Visual truncation in chat client using whitespace to hide dangerous file extension.
  • CVE-2005-0590
    • Visual truncation: Dialog box in web browser allows user to spoof the hostname via a long “user:pass” sequence in the URL, which appears before the real hostname.
  • CVE-2004-1451
    • Visual truncation: Null character in URL prevents entire URL from being displayed in web browser.
  • CVE-2004-2258
    • Miscellaneous — [step-based attack, GUI] — Password-protected tab can be bypassed by switching to another tab, then back to original tab.
  • CVE-2005-1678
    • Miscellaneous — Dangerous file extensions not displayed.
  • CVE-2002-0722
    • Miscellaneous — Web browser allows remote attackers to misrepresent the source of a file in the File Download dialog box.

CWE-453 – Insecure Default Variable Initialization

Read Time:33 Second

Description

The software, by default, initializes an internal variable with an insecure or less secure value than is possible.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1188

 

Consequences

Integrity: Modify Application Data

An attacker could gain access to and modify sensitive data or system information.

 

Potential Mitigations

Phase: System Configuration

Description: 

Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.

CVE References

CWE-454 – External Initialization of Trusted Variables or Data Stores

Read Time:1 Minute, 6 Second

Description

The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

A software system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-665
CWE-456

 

Consequences

Integrity: Modify Application Data

An attacker could gain access to and modify sensitive data or system information.

 

Potential Mitigations

Phase: Implementation

Description: 

A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.

Phase: Architecture and Design

Description: 

Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.

CVE References

  • CVE-2000-0959
    • Does not clear dangerous environment variables, enabling symlink attack.
  • CVE-2001-0033
    • Specify alternate configuration directory in environment variable, enabling untrusted path.
  • CVE-2001-0084
    • Specify arbitrary modules using environment variable.

CWE-455 – Non-exit on Failed Initialization

Read Time:47 Second

Description

The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-665
CWE-705
CWE-636

 

Consequences

Integrity, Other: Modify Application Data, Alter Execution Logic

The application could be placed in an insecure state that may allow an attacker to modify sensitive data or allow unintended logic to be executed.

 

Potential Mitigations

Phase: Implementation

Description: 

Follow the principle of failing securely when an error occurs. The system should enter a state where it is not vulnerable and will not display sensitive error messages to a potential attacker.

CVE References

  • CVE-2005-1345
    • Product does not trigger a fatal error if missing or invalid ACLs are in a configuration file.

CWE-456 – Missing Initialization of a Variable

Read Time:1 Minute, 11 Second

Description

The software does not initialize critical variables, which causes the execution environment to use unexpected values.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-909
CWE-665
CWE-665
CWE-89
CWE-120
CWE-98
CWE-457

 

Consequences

Integrity, Other: Unexpected State, Quality Degradation, Varies by Context

The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.

 

Potential Mitigations

Phase: Implementation

Description: 

Check that critical variables are initialized.

Phase: Testing

Description: 

Use a static analysis tool to spot non-initialized variables.

CVE References

  • CVE-2020-6078
    • Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
  • CVE-2009-2692
    • Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
  • CVE-2020-20739
    • A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
  • CVE-2005-2978
    • Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
  • CVE-2005-2109
    • Internal variable in PHP application is not initialized, allowing external modification.
  • CVE-2005-2193
    • Array variable not initialized in PHP application, leading to resultant SQL injection.

CWE-457 – Use of Uninitialized Variable

Read Time:2 Minute, 17 Second

Description

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-908
CWE-665
CWE-665

 

Consequences

Availability, Integrity, Other: Other

Initial variables usually contain junk, which can not be trusted for consistency. This can lead to denial of service conditions, or modify control flow in unexpected ways. In some cases, an attacker can “pre-initialize” the variable using previous actions, which might enable code execution. This can cause a race condition if a lock variable check passes when it should not.

Authorization, Other: Other

Strings that are not initialized are especially dangerous, since many functions expect a null at the end — and only at the end — of a string.

 

Potential Mitigations

Phase: Implementation

Description: 

Assign all variables to an initial value.

Phase: Build and Compilation

Description: 

Most compilers will complain about the use of uninitialized variables if warnings are turned on.

Phase: Implementation, Operation

Description: 

When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable’s name.

Phase: Requirements

Description: 

The choice could be made to use a language that is not susceptible to these issues.

Phase: Architecture and Design

Description: 

Mitigating technologies such as safe string libraries and container abstractions could be introduced.

CVE References

  • CVE-2019-15900
    • Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).
  • CVE-2008-3688
    • Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server.
  • CVE-2008-0081
    • Uninitialized variable leads to code execution in popular desktop application.
  • CVE-2007-4682
    • Crafted input triggers dereference of an uninitialized object pointer.
  • CVE-2007-3468
    • Crafted audio file triggers crash when an uninitialized variable is used.

CWE-459 – Incomplete Cleanup

Read Time:1 Minute, 18 Second

Description

The software does not properly “clean up” and remove temporary or supporting resources after they have been used.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-404
CWE-404

 

Consequences

Other, Confidentiality, Integrity: Other, Read Application Data, Modify Application Data, DoS: Resource Consumption (Other)

It is possible to overflow the number of temporary files because directories typically have limits on the number of files allowed. This could create a denial of service problem.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.

CVE References

  • CVE-2000-0552
    • World-readable temporary file not deleted after use.
  • CVE-2005-2293
    • Temporary file not deleted after use, leaking database usernames and passwords.
  • CVE-2002-0788
    • Interaction error creates a temporary file that can not be deleted due to strong permissions.
  • CVE-2002-2066
    • Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  • CVE-2002-2067
    • Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  • CVE-2002-2068
    • Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  • CVE-2002-2069
    • Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  • CVE-2002-2070
    • Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  • CVE-2005-1744
    • Users not logged out when application is restarted after security-relevant changes were made.

CWE-46 – Path Equivalence: ‘filename ‘ (Trailing Space)

Read Time:57 Second

Description

A software system that accepts path input in the form of trailing space (‘filedir ‘) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41
CWE-162
CWE-289

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

CVE References

  • CVE-2001-0693
    • Source disclosure via trailing encoded space “%20”
  • CVE-2001-0778
    • Source disclosure via trailing encoded space “%20”
  • CVE-2001-1248
    • Source disclosure via trailing encoded space “%20”
  • CVE-2004-0280
    • Source disclosure via trailing encoded space “%20”
  • CVE-2004-2213
    • Source disclosure via trailing encoded space “%20”
  • CVE-2005-0622
    • Source disclosure via trailing encoded space “%20”
  • CVE-2005-1656
    • Source disclosure via trailing encoded space “%20”
  • CVE-2002-1603
    • Source disclosure via trailing encoded space “%20”
  • CVE-2001-0054
    • Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as “%20”; certain manipulations have unusual side effects.
  • CVE-2002-1451
    • Trailing space (“+” in query string) leads to source code disclosure.