All posts by rocco

CWE

CWE-460 – Improper Cleanup on Thrown Exception

Read Time:37 Second

Description

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-459
CWE-755

 

Consequences

Other: Varies by Context

The code could be left in a bad state.

 

Potential Mitigations

Phase: Implementation

Description: 

If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.

CVE References

CWE

CWE-462 – Duplicate Key in Associative List (Alist)

Read Time:38 Second

Description

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

A duplicate key entry — if the alist is designed properly — could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-694

 

Consequences

Other: Quality Degradation, Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use a hash table instead of an alist.

Phase: Architecture and Design

Description: 

Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry.

CVE References

CWE

CWE-463 – Deletion of Data Structure Sentinel

Read Time:1 Minute, 7 Second

Description

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

Often times data-structure sentinels are used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to mark the end of the list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the deletion or modification outside of some wrapper interface which provides safety.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-707
CWE-464

 

Consequences

Availability, Other: Other

Generally this error will cause the data structure to not work properly.

Authorization, Other: Other

If a control character, such as NULL is removed, one may cause resource access control problems.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Phase: Build and Compilation

Effectiveness: Defense in Depth

Description: 

This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Operation

Description: 

Use OS-level preventative functionality. Not a complete solution.

CVE References

CWE

CWE-422 – Unprotected Windows Messaging Channel (‘Shatter’)

Read Time:52 Second

Description

The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-420
CWE-360

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Always verify and authenticate the source of the message.

CVE References

  • CVE-2003-0350
    • A control allows a change to a pointer for a callback function using Windows message.
  • CVE-2003-0908
    • Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access “open file” dialog.
  • CVE-2004-0213
    • Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
  • CVE-2004-0207
    • User can call certain API functions to modify certain properties of privileged programs.
CWE

CWE-424 – Improper Protection of Alternate Path

Read Time:20 Second

Description

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693
CWE-638

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Deploy different layers of protection to implement security in depth.

CVE References

CWE

CWE-425 – Direct Request (‘Forced Browsing’)

Read Time:1 Minute, 11 Second

Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-862
CWE-862
CWE-288
CWE-424
CWE-471
CWE-98

 

Consequences

Confidentiality, Integrity, Availability, Access Control: Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Phase: Architecture and Design

Description: 

Consider using MVC based frameworks such as Struts.

CVE References

  • CVE-2005-1892
    • Infinite loop or infoleak triggered by direct requests.
  • CVE-2005-1668
    • Access privileged functionality using direct request.
CWE

CWE-426 – Untrusted Search Path

Read Time:2 Minute, 28 Second

Description

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application’s direct control.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-642
CWE-668
CWE-673
CWE-427
CWE-428

 

Consequences

Integrity, Confidentiality, Availability, Access Control: Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

There is the potential for arbitrary code execution with privileges of the vulnerable program.

Availability: DoS: Crash, Exit, or Restart

The program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format.

Confidentiality: Read Files or Directories

The program could send the output of unauthorized files to the attacker.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Phase: Implementation

Description: 

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Phase: Implementation

Description: 

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Phase: Implementation

Description: 

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Phase: Implementation

Description: 

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CVE References

  • CVE-1999-1120
    • Application relies on its PATH environment variable to find and execute program.
  • CVE-2008-1810
    • Database application relies on its PATH environment variable to find and execute program.
  • CVE-2007-2027
    • Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages.
  • CVE-2008-3485
    • Untrusted search path using malicious .EXE in Windows environment.
  • CVE-2008-2613
    • setuid program allows compromise using path that finds and loads a malicious library.
  • CVE-2008-1319
    • Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded.
CWE

CWE-427 – Uncontrolled Search Path Element

Read Time:3 Minute, 54 Second

Description

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668
CWE-668

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Phase: Implementation

Description: 

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Phase: Implementation

Description: 

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Phase: Implementation

Description: 

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.

Phase: Implementation

Description: 

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

CVE References

  • CVE-2010-3397
    • “DLL hijacking” issue in encryption software.
  • CVE-2010-3138
    • “DLL hijacking” issue in library used by multiple media players.
  • CVE-2010-3152
    • “DLL hijacking” issue in illustration program.
  • CVE-2010-3135
    • “DLL hijacking” issue in network monitoring software.
  • CVE-2010-1795
    • “DLL hijacking” issue in music player/organizer.
  • CVE-2002-1576
    • Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.
  • CVE-1999-1461
    • Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.
  • CVE-1999-1318
    • Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.
  • CVE-2003-0579
    • Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.
  • CVE-2000-0854
    • When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.
  • CVE-2001-0943
    • Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.
  • CVE-2001-0942
    • Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.
  • CVE-2001-0507
    • Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.
  • CVE-2002-2017
    • Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.
  • CVE-1999-0690
    • Product includes the current directory in root’s PATH variable.
  • CVE-2001-0912
    • Error during packaging causes product to include a hard-coded, non-standard directory in search path.
  • CVE-2001-0289
    • Product searches current working directory for configuration file.
  • CVE-2005-1705
    • Product searches current working directory for configuration file.
  • CVE-2005-1307
    • Product executable other program from current working directory.
  • CVE-2005-2072
    • Modification of trusted environment variable leads to untrusted path vulnerability.
  • CVE-2005-1632
    • Product searches /tmp for modules before other paths.
CWE

CWE-428 – Unquoted Search Path or Element

Read Time:1 Minute, 15 Second

Description

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as “C:Program.exe” to be run by a privileged program making use of WinExec.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668
CWE-668

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Description: 

Properly quote the full search path before executing a program on the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2005-1185
    • Small handful of others. Program doesn’t quote the “C:Program Files” path when calling a program to be executed – or any other path with a directory or file whose name contains a space – so attacker can put a malicious program.exe into C:.
  • CVE-2005-2938
    • CreateProcess() and CreateProcessAsUser() can be misused by applications to allow “program.exe” style attacks in C:
  • CVE-2000-1128
    • Applies to “Common Files” folder, with a malicious common.exe, instead of “Program Files”/program.exe.