All posts by rocco

CWE-666 – Operation on Resource in Wrong Phase of Lifetime

Read Time:36 Second

Description

The software performs an operation on a resource at the wrong phase of the resource’s lifecycle, which can lead to unexpected behaviors.

When a developer wants to initialize, use or release a resource, it is important to follow the specifications outlined for how to operate on that resource and to ensure that the resource is in the expected state. In this case, the software wants to perform a normally valid operation, initialization, use or release, on a resource when it is in the incorrect phase of its lifetime.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-664

 

Consequences

Other: Other

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Follow the resource’s lifecycle from creation to release.

CVE References

CWE-667 – Improper Locking

Read Time:2 Minute, 23 Second

Description

The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-662
CWE-662
CWE-662
CWE-662

 

Consequences

Availability: DoS: Resource Consumption (CPU)

Inconsistent locking discipline can lead to deadlock.

 

Potential Mitigations

Phase: Implementation

Description: 

Use industry standard APIs to implement locking mechanism.

CVE References

  • CVE-2009-0935
    • Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
  • CVE-2010-4210
    • function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.
  • CVE-2008-4302
    • Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.
  • CVE-2009-1243
    • OS kernel performs an unlock in some incorrect circumstances, leading to panic.
  • CVE-2009-4272
    • deadlock triggered by packets that force collisions in a routing table
  • CVE-2002-1850
    • read/write deadlock between web server and script
  • CVE-2004-0174
    • web server deadlock involving multiple listening connections
  • CVE-2009-1388
    • multiple simultaneous calls to the same function trigger deadlock.
  • CVE-2006-5158
    • chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).
  • CVE-2006-4342
    • deadlock when an operation is performed on a resource while it is being removed.
  • CVE-2006-2374
    • Deadlock in device driver triggered by using file handle of a related device.
  • CVE-2006-2275
    • Deadlock when large number of small messages cannot be processed quickly enough.
  • CVE-2005-3847
    • OS kernel has deadlock triggered by a signal during a core dump.
  • CVE-2005-2456
    • Chain: array index error (CWE-129) leads to deadlock (CWE-833)
  • CVE-2001-0682
    • Program can not execute when attacker obtains a mutex.
  • CVE-2002-1914
    • Program can not execute when attacker obtains a lock on a critical output file.
  • CVE-2002-1915
    • Program can not execute when attacker obtains a lock on a critical output file.
  • CVE-2002-0051
    • Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.
  • CVE-2000-0338
    • Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.
  • CVE-2000-1198
    • Chain: Lock files with predictable names. Resultant from randomness.
  • CVE-2002-1869
    • Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.

CWE-668 – Exposure of Resource to Wrong Sphere

Read Time:15 Second

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity, Other: Read Application Data, Modify Application Data, Other

 

Potential Mitigations

CVE References

CWE-621 – Variable Extraction Error

Read Time:57 Second

Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-914
CWE-471

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

 

Potential Mitigations

Phase: Implementation

Description: 

Use allowlists of variable names that can be extracted.

Phase: Implementation

Description: 

Consider refactoring your code to avoid extraction routines altogether.

Phase: Implementation

Description: 

In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

CVE References

  • CVE-2006-7079
    • extract used for register_globals compatibility layer, enables path traversal
  • CVE-2007-0649
    • extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  • CVE-2006-2828
    • import_request_variables() buried in include files makes post-disclosure analysis confusing

CWE-622 – Improper Validation of Function Hook Arguments

Read Time:53 Second

Description

The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.

Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to bypass the protection scheme or attack the product itself.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-20

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Ensure that all arguments are verified, as defined by the API you are protecting.

Phase: Architecture and Design

Description: 

Drop privileges before invoking such functions, if possible.

CVE References

  • CVE-2007-0708
    • DoS in firewall using standard Microsoft functions
  • CVE-2006-7160
    • DoS in firewall using standard Microsoft functions
  • CVE-2007-1376
    • function does not verify that its argument is the proper type, leading to arbitrary memory write
  • CVE-2007-1220
    • invalid syscall arguments bypass code execution limits

CWE-623 – Unsafe ActiveX Control Marked Safe For Scripting

Read Time:45 Second

Description

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control’s behavior.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-267
CWE-691
CWE-618

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

During development, do not mark it as safe for scripting.

Phase: System Configuration

Description: 

After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

CVE References

  • CVE-2007-0617
    • control allows attackers to add malicious email addresses to bypass spam limits

CWE-624 – Executable Regular Expression Error

Read Time:1 Minute, 0 Second

Description

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-77
CWE-77
CWE-77

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Description: 

The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as Q and E in Perl.

CVE References

  • CVE-2006-2059
    • Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
  • CVE-2005-3420
    • Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
  • CVE-2006-2878
    • Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the “/e” modifier
  • CVE-2006-2908
    • Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.

CWE-625 – Permissive Regular Expression

Read Time:57 Second

Description

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-185
CWE-187
CWE-184
CWE-183

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Implementation

Description: 

When applicable, ensure that the regular expression marks beginning and ending string patterns, such as “/^string$/” for Perl.

CVE References

  • CVE-2002-2175
    • insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
  • CVE-2006-4527
    • regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
  • CVE-2005-1949
    • Regexp for IP address isn’t anchored at the end, allowing appending of shell metacharacters.
  • CVE-2002-2109
    • Regexp isn’t “anchored” to the beginning or end, which allows spoofed values that have trusted values as substrings.
  • CVE-2006-6511
    • regexp in .htaccess file allows access of files whose names contain certain substrings
  • CVE-2006-6629
    • allow load of macro files whose names contain certain substrings.

CWE-626 – Null Byte Interaction Error (Poison Null Byte)

Read Time:23 Second

Description

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-147
CWE-436

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Implementation

Description: 

Remove null bytes from all incoming strings.

CVE References

  • CVE-2005-3153
    • inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection

CWE-627 – Dynamic Variable Evaluation

Read Time:1 Minute, 22 Second

Description

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.

Many interpreted languages support the use of a “$$varname” construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as “variable variables.” Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-914
CWE-183

 

Consequences

Confidentiality, Integrity, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could gain unauthorized access to internal program variables and execute arbitrary code.

 

Potential Mitigations

Phase: Implementation

Description: 

Refactor the code to avoid dynamic variable evaluation whenever possible.

Phase: Implementation

Description: 

Use only allowlists of acceptable variable or function names.

Phase: Implementation

Description: 

For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.

CVE References

  • CVE-2009-0422
    • Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
  • CVE-2007-2431
    • Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
  • CVE-2006-4904
    • Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
  • CVE-2006-4019
    • Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.