All posts by rocco

CWE

CWE-908 – Use of Uninitialized Resource

Read Time:2 Minute, 9 Second

Description

The software uses or accesses a resource that has not been initialized.

When a resource has not been properly initialized, the software may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the software.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-665
CWE-665

 

Consequences

Confidentiality: Read Memory, Read Application Data

When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.

Availability: DoS: Crash, Exit, or Restart

The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Phase: Implementation

Effectiveness:

Description: 

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Phase: Implementation

Effectiveness:

Description: 

Avoid race conditions (CWE-362) during initialization routines.

Phase: Build and Compilation

Effectiveness:

Description: 

Run or compile the software with settings that generate warnings about uninitialized variables or data.

CVE References

 

  • CVE-2019-9805
    • Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.
  • CVE-2008-4197
    • Use of uninitialized memory may allow code execution.
  • CVE-2008-2934
    • Free of an uninitialized pointer leads to crash and possible code execution.
  • CVE-2008-0063
    • Product does not clear memory contents when generating an error message, leading to information leak.
  • CVE-2008-0062
    • Lack of initialization triggers NULL pointer dereference or double-free.
  • CVE-2008-0081
    • Uninitialized variable leads to code execution in popular desktop application.
  • CVE-2008-3688
    • Chain: Uninitialized variable leads to infinite loop.
  • CVE-2008-3475
    • Chain: Improper initialization leads to memory corruption.
  • CVE-2005-1036
    • Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
  • CVE-2008-3597
    • Chain: game server can access player data structures before initialization has happened leading to NULL dereference
  • CVE-2009-2692
    • Chain: uninitialized function pointers can be dereferenced allowing code execution
  • CVE-2009-0949
    • Chain: improper initialization of memory can lead to NULL dereference
  • CVE-2009-3620
    • Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
CWE

CWE-909 – Missing Initialization of Resource

Read Time:1 Minute, 23 Second

Description

The software does not initialize a critical resource.

Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-665
CWE-665
CWE-908

 

Consequences

Confidentiality: Read Memory, Read Application Data

When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.

Availability: DoS: Crash, Exit, or Restart

The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.

Phase: Implementation

Effectiveness:

Description: 

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Phase: Implementation

Effectiveness:

Description: 

Avoid race conditions (CWE-362) during initialization routines.

Phase: Build and Compilation

Effectiveness:

Description: 

Run or compile your software with settings that generate warnings about uninitialized variables or data.

CVE References

 

  • CVE-2020-20739
    • A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
  • CVE-2005-1036
    • Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
CWE

CWE-91 – XML Injection (aka Blind XPath Injection)

Read Time:30 Second

Description

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Within XML, special elements could include reserved words or characters such as ““, “””, and “&”, which could then be used to add new data or modify XML syntax.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-74
CWE-74

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

CVE References

 

CWE

CWE-807 – Reliance on Untrusted Inputs in a Security Decision

Read Time:1 Minute, 48 Second

Description

The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-693

 

Consequences

Confidentiality, Access Control, Availability, Other: Bypass Protection Mechanism, Gain Privileges or Assume Identity, Varies by Context

Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks. Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Operation, Implementation

Effectiveness:

Description: 

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

CVE References

 

  • CVE-2009-1549
    • Attacker can bypass authentication by setting a cookie to a specific value.
  • CVE-2009-1619
    • Attacker can bypass authentication and gain admin privileges by setting an “admin” cookie to 1.
  • CVE-2009-0864
    • Content management system allows admin privileges by setting a “login” cookie to “OK.”
  • CVE-2008-5784
    • e-dating application allows admin privileges by setting the admin cookie to 1.
  • CVE-2008-6291
    • Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to “admin.”
CWE

CWE-81 – Improper Neutralization of Script in an Error Message Web Page

Read Time:1 Minute, 48 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-79
CWE-209
CWE-390

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Do not write user-controlled input to error pages.

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

CWE

CWE-82 – Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

Read Time:1 Minute, 24 Second

Description

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim’s browser. Note that when the page is loaded into a user’s browsers, the exploit will automatically execute.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-83

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2006-3211
    • Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.
CWE

CWE-820 – Missing Synchronization

Read Time:29 Second

Description

The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-662
CWE-662
CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

CVE References

 

CWE

CWE-821 – Incorrect Synchronization

Read Time:29 Second

Description

The software utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

If access to a shared resource is not correctly synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-662
CWE-662
CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

CVE References

 

CWE

CWE-822 – Untrusted Pointer Dereference

Read Time:1 Minute, 38 Second

Description

The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

CVE References

 

  • CVE-2007-5655
    • message-passing framework interprets values in packets as pointers, causing a crash.
  • CVE-2010-2299
    • labeled as a “type confusion” issue, also referred to as a “stale pointer.” However, the bug ID says “contents are simply interpreted as a pointer… renderer ordinarily doesn’t supply this pointer directly”. The “handle” in the untrusted area is replaced in one function, but not another – thus also, effectively, exposure to wrong sphere (CWE-668).
  • CVE-2009-1719
    • Untrusted dereference using undocumented constructor.
  • CVE-2009-1250
    • An error code is incorrectly checked and interpreted as a pointer, leading to a crash.
  • CVE-2009-0311
    • An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.
  • CVE-2010-1818
    • Undocumented attribute in multimedia software allows “unmarshaling” of an untrusted pointer.
  • CVE-2010-3189
    • ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer.
  • CVE-2010-1253
    • Spreadsheet software treats certain record values that lead to “user-controlled pointer” (might be untrusted offset, not untrusted pointer).
CWE

CWE-823 – Use of Out-of-range Pointer Offset

Read Time:2 Minute, 4 Second

Description

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

CVE References

 

  • CVE-2010-2160
    • Invalid offset in undocumented opcode leads to memory corruption.
  • CVE-2010-1281
    • Multimedia player uses untrusted value from a file when using file-pointer calculations.
  • CVE-2009-3129
    • Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
  • CVE-2009-2694
    • Instant messaging library does not validate an offset value specified in a packet.
  • CVE-2009-2687
    • Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
  • CVE-2010-2873
    • “blind trust” of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
  • CVE-2010-2866
    • negative value (signed) causes pointer miscalculation
  • CVE-2010-2872
    • signed values cause incorrect pointer calculation
  • CVE-2010-2867
    • a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
  • CVE-2009-1097
    • portions of a GIF image used as offsets, causing corruption of an object pointer.
  • CVE-2008-1807
    • invalid numeric field leads to a free of arbitrary memory locations, then code execution.
  • CVE-2007-2500
    • large number of elements leads to a free of an arbitrary address
  • CVE-2008-1686
    • array index issue (CWE-129) with negative offset, used to dereference a function pointer