Category Archives: CWE

CWE-62 – UNIX Hard Link

Read Time:1 Minute, 39 Second

Description

The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-59

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2001-1494
    • Hard link attack, file overwrite; interesting because program checks against soft links
  • CVE-2002-0793
    • Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.
  • CVE-2003-0578
    • Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
  • CVE-1999-0783
    • Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.
  • CVE-2004-1603
    • Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.
  • CVE-2004-1901
    • Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
  • CVE-2005-0342
    • The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file.

CWE-620 – Unverified Password Change

Read Time:1 Minute, 0 Second

Description

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

When prompting for a password change, force the user to provide the original password in addition to the new password.

Phase: Architecture and Design

Description: 

Do not use “forgotten password” functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

CVE References

  • CVE-2007-0681
    • Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
  • CVE-2000-0944
    • Web application password change utility doesn’t check the original password.

CWE-584 – Return Inside Finally Block

Read Time:19 Second

Description

The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-705

 

Consequences

Other: Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Description: 

Do not use a return statement inside the finally block. The finally block should have “cleanup” code.

CVE References

CWE-585 – Empty Synchronized Block

Read Time:50 Second

Description

The software contains an empty synchronized block.

An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1071

 

Consequences

Other: Other

An empty synchronized block will wait until nobody else is using the synchronizer being specified. While this may be part of the desired behavior, because you haven’t protected the subsequent code by placing it inside the synchronized block, nothing is stopping somebody else from modifying whatever it was you were waiting for while you run the subsequent code.

 

Potential Mitigations

Phase: Implementation

Description: 

When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary.

CVE References

CWE-586 – Explicit Call to Finalize()

Read Time:36 Second

Description

The software makes an explicit call to the finalize() method from outside the finalizer.

While the Java Language Specification allows an object’s finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1076

 

Consequences

Integrity, Other: Unexpected State, Quality Degradation

 

Potential Mitigations

Phase: Implementation, Testing

Description: 

Do not make explicit calls to finalize(). Use static analysis tools to spot such instances.

CVE References

CWE-587 – Assignment of a Fixed Address to a Pointer

Read Time:44 Second

Description

The software sets a pointer to a specific address other than NULL or 0.

Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-344
CWE-758

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If one executes code at a known location, an attacker might be able to inject code there beforehand.

Availability: DoS: Crash, Exit, or Restart, Reduce Maintainability, Reduce Reliability

If the code is ported to another platform or environment, the pointer is likely to be invalid and cause a crash.

Confidentiality, Integrity: Read Memory, Modify Memory

The data at a known pointer location can be easily read or influenced by an attacker.

 

Potential Mitigations

Phase: Implementation

Description: 

Never set a pointer to a fixed address.

CVE References

CWE-588 – Attempt to Access Child of a Non-structure Pointer

Read Time:33 Second

Description

Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-704
CWE-758

 

Consequences

Integrity: Modify Memory

Adjacent variables in memory may be corrupted by assignments performed on fields after the cast.

Availability: DoS: Crash, Exit, or Restart

Execution may end due to a memory access error.

 

Potential Mitigations

Phase: Requirements

Description: 

The choice could be made to use a language that is not susceptible to these issues.

Phase: Implementation

Description: 

Review of type casting operations can identify locations where incompatible types are cast.

CVE References

CWE-589 – Call to Non-ubiquitous API

Read Time:44 Second

Description

The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.

Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-474

 

Consequences

Other: Quality Degradation

 

Potential Mitigations

Phase: Implementation

Description: 

Always test your code on any platform on which it is targeted to run on.

Phase: Testing

Description: 

Test your code on the newest and oldest platform on which it is targeted to run on.

Phase: Testing

Description: 

Develop a system to test for API functions that are not portable.

CVE References

CWE-59 – Improper Link Resolution Before File Access (‘Link Following’)

Read Time:3 Minute, 28 Second

Description

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Soft links are a UNIX term that is synonymous with simple shortcuts on windows based platforms.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-706
CWE-706

 

Consequences

Confidentiality, Integrity, Access Control: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism

An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.

Other: Execute Unauthorized Code or Commands

Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a “.LNK” file can be uploaded like a normal file. This can enable remote execution.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-1999-1386
    • Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
  • CVE-2000-1178
    • Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
  • CVE-2004-0217
    • Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
  • CVE-2003-0517
    • Symlink attack allows local users to overwrite files.
  • CVE-2004-0689
    • Window manager does not properly handle when certain symbolic links point to “stale” locations, which could allow local users to create or truncate arbitrary files.
  • CVE-2000-0972
    • Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
  • CVE-2001-1494
    • Hard link attack, file overwrite; interesting because program checks against soft links
  • CVE-2002-0793
    • Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.
  • CVE-2003-0578
    • Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
  • CVE-1999-0783
    • Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.
  • CVE-2004-1603
    • Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.
  • CVE-2004-1901
    • Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
  • CVE-2000-0342
    • Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka “Stealth Attachment.”
  • CVE-2001-1042
    • FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
  • CVE-2001-1043
    • FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
  • CVE-2005-0587
    • Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
  • CVE-2003-1233
    • Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link
  • CVE-2002-0725
    • File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.
  • CVE-2003-0844
    • Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.

CWE-590 – Free of Memory not on the Heap

Read Time:1 Minute, 18 Second

Description

The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().

When free() is called on an invalid pointer, the program’s memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an attacker may be able to cause free() to operate on controllable memory locations to modify critical program variables or execute code.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-762
CWE-123

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

There is the potential for arbitrary code execution with privileges of the vulnerable program via a “write, what where” primitive. If pointers to memory which hold user information are freed, a malicious user will be able to write 4 bytes anywhere in memory.

 

Potential Mitigations

Phase: Implementation

Description: 

Only free pointers that you have called malloc on previously. This is the recommended solution. Keep track of which pointers point at the beginning of valid chunks and free them only once.

Phase: Implementation

Description: 

Before freeing a pointer, the programmer should make sure that the pointer was previously allocated on the heap and that the memory belongs to the programmer. Freeing an unallocated pointer will cause undefined behavior in the program.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Use a language that provides abstractions for memory allocation and deallocation.

Phase: Testing

Description: 

Use a tool that dynamically detects memory management problems, such as valgrind.

CVE References