All posts by rocco

CWE

CWE-226 – Sensitive Information in Resource Not Removed Before Reuse

Read Time:1 Minute, 48 Second

Description

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or “zeroize” the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-459
CWE-212
CWE-201

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Effectiveness: High

Description: 

During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0’s) or random data, before the transition to the next state.

Phase: Architecture and Design, Implementation

Effectiveness: High

Description: 

When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though “logical” file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer.

CVE References

  • CVE-2003-0001
    • Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
  • CVE-2003-0291
    • router does not clear information from DHCP packets that have been previously used
  • CVE-2005-1406
    • Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  • CVE-2005-1858
    • Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  • CVE-2005-3180
    • Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  • CVE-2005-3276
    • Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.
CWE

CWE-228 – Improper Handling of Syntactically Invalid Structure

Read Time:26 Second

Description

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-703
CWE-707

 

Consequences

Integrity, Availability: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)

If an input is syntactically invalid, then processing the input could place the system in an unexpected state that could lead to a crash, consume available system resources or other unintended behaviors.

 

Potential Mitigations

CVE References

CWE

CWE-23 – Relative Path Traversal

Read Time:3 Minute, 33 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as “..” that can resolve to a location that is outside of that directory.

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-22
CWE-22
CWE-22

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.

Integrity: Modify Files or Directories

The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.

Confidentiality: Read Files or Directories

The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.

Availability: DoS: Crash, Exit, or Restart

The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

CVE References

  • CVE-2002-0298
    • Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several “/../” sequences, or several “../” in a URI.
  • CVE-2002-0661
    • “” not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
  • CVE-2002-0946
    • Arbitrary files may be read files via .. (dot dot) sequences in an HTTP request.
  • CVE-2002-1042
    • Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via “..” sequences in queries.
  • CVE-2002-1209
    • Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via “..” sequences in a GET request.
  • CVE-2002-1178
    • Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via “..” sequences in an HTTP request.
  • CVE-2002-1987
    • Protection mechanism checks for “/..” but doesn’t account for Windows-specific “..” allowing read of arbitrary files.
  • CVE-2005-2142
    • Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a “..” sequence in an LS command.
  • CVE-2002-0160
    • The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a “….” sequence in the URL to port 2002.
  • CVE-2001-0480
    • read of arbitrary files and directories using GET or CD with “…” in Windows-based FTP server.
  • CVE-2002-0288
    • read files using “.” and Unicode-encoded “/” or “” characters in the URL.
  • CVE-1999-1082
    • read files via “……” in web server (doubled triple dot?)
  • CVE-2004-2121
    • read files via “……” in web server (doubled triple dot?)
  • CVE-2001-0491
    • multiple attacks using “..”, “…”, and “….” in different commands
  • CVE-2005-2169
    • chain: “…/…//” bypasses protection mechanism using regexp’s that remove “../” resulting in collapse into an unsafe value “../” (CWE-182) and resultant path traversal.
  • CVE-2005-0202
    • “…/….///” bypasses regexp’s that remove “./” and “../”
  • CVE-2004-1670
    • Mail server allows remote attackers to create arbitrary directories via a “..” or rename arbitrary files via a “….//” in user supplied parameters.
CWE

CWE-230 – Improper Handling of Missing Values

Read Time:27 Second

Description

The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-229

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

  • CVE-2000-1006
    • Blank “charset” attribute in MIME header triggers crash.
CWE

CWE-232 – Improper Handling of Undefined Values

Read Time:17 Second

Description

The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-229

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

  • CVE-2000-1003
    • Client crash when server returns unknown driver type.
CWE

CWE-234 – Failure to Handle Missing Parameter

Read Time:2 Minute, 21 Second

Description

If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-233

 

Consequences

Integrity, Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.

Availability: DoS: Crash, Exit, or Restart

Potentially a program could fail if it needs more arguments then are available.

 

Potential Mitigations

Phase: Build and Compilation

Description: 

This issue can be simply combated with the use of proper build process.

Phase: Implementation

Description: 

Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.

CVE References

  • CVE-2004-0276
    • Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of “%” characters and a missing Host field.
  • CVE-2002-1488
    • Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in.
  • CVE-2002-1169
    • Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers.
  • CVE-2000-0521
    • Web server allows disclosure of CGI source code via an HTTP request without the version number.
  • CVE-2001-0590
    • Application server allows a remote attacker to read the source code to arbitrary ‘jsp’ files via a malformed URL request which does not end with an HTTP protocol specification.
  • CVE-2003-0239
    • Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor.
  • CVE-2002-1023
    • Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI.
  • CVE-2002-1531
    • Crash in HTTP request without a Content-Length field.
  • CVE-2002-1077
    • Crash in HTTP request without a Content-Length field.
  • CVE-2002-1358
    • Empty elements/strings in protocol test suite affect many SSH2 servers/clients.
  • CVE-2003-0477
    • FTP server crashes in PORT command without an argument.
  • CVE-2002-0107
    • Resultant infoleak in web server via GET requests without HTTP/1.0 version string.
  • CVE-2002-0596
    • GET request with empty parameter leads to error message infoleak (path disclosure).
CWE

CWE-235 – Improper Handling of Extra Parameters

Read Time:21 Second

Description

The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-233

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

  • CVE-2003-1014
    • MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients.