CWE

CWE-201 – Insertion of Sensitive Information Into Sent Data

Read Time:1 Minute, 1 Second

Description

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-200
CWE-209
CWE-202

 

Consequences

Confidentiality: Read Files or Directories, Read Memory, Read Application Data

Sensitive data may be exposed to attackers.

 

Potential Mitigations

Phase: Requirements

Description: 

Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.

Phase: Implementation

Description: 

Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

Phase: System Configuration

Description: 

Setup default error messages so that unexpected errors do not disclose sensitive information.

Phase: Architecture and Design

Description: 

CVE References

CWE

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Read Time:1 Minute, 47 Second

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2001-1483
    • Enumeration of valid usernames based on inconsistent responses
  • CVE-2001-1528
    • Account number enumeration via inconsistent responses.
  • CVE-2004-2150
    • User enumeration via discrepancies in error messages.
  • CVE-2005-1205
    • Telnet protocol allows servers to obtain sensitive environment information from clients.
  • CVE-2002-1725
    • Script calls phpinfo(), revealing system configuration to web user
  • CVE-2002-0515
    • Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.
  • CVE-2004-0778
    • Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.
  • CVE-2000-1117
    • Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.
  • CVE-2003-0190
    • Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
  • CVE-2008-2049
    • POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.
  • CVE-2007-5172
    • Program reveals password in error message if attacker can trigger certain database errors.
  • CVE-2008-4638
    • Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
  • CVE-2007-1409
    • Direct request to library file in web application triggers pathname leak in error message.
  • CVE-2005-0603
    • Malformed regexp syntax leads to information exposure in error message.
  • CVE-2003-1078
    • FTP client with debug option enabled shows password to the screen.
CWE

CWE-20 – Improper Input Validation

Read Time:4 Minute, 52 Second

Description

The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-707
CWE-345
CWE-22
CWE-41
CWE-74
CWE-119
CWE-770

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

An attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU.

Confidentiality: Read Memory, Read Files or Directories

An attacker could read confidential data if they are able to control resource references.

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands

An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build “recognizers” for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]

Phase: Architecture and Design

Description: 

Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Phase: Architecture and Design, Implementation

Description: 

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.

Phase: Implementation

Effectiveness: High

Description: 

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.

Phase: Implementation

Description: 

Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.

Phase: Implementation

Description: 

Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input’s values fall within the expected range of allowable values and that multi-field consistencies are maintained.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CVE References

  • CVE-2008-5305
    • Eval injection in Perl program using an ID that should only contain hyphens and numbers.
  • CVE-2008-2223
    • SQL injection through an ID that was supposed to be numeric.
  • CVE-2008-3477
    • lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption.
  • CVE-2008-3174
    • driver in security product allows code execution due to insufficient validation
  • CVE-2007-3409
    • infinite loop from DNS packet with a label that points to itself
  • CVE-2006-6870
    • infinite loop from DNS packet with a label that points to itself
  • CVE-2007-5893
    • HTTP request with missing protocol version number leads to crash
  • CVE-2006-6658
    • request with missing parameters leads to information exposure
  • CVE-2008-4114
    • system crash with offset value that is inconsistent with packet size
  • CVE-2006-3790
    • size field that is inconsistent with packet size leads to buffer over-read
  • CVE-2008-2309
    • product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
  • CVE-2008-1284
    • NUL byte in theme name causes directory traversal impact to be worse
  • CVE-2008-0600
    • kernel does not validate an incoming pointer before dereferencing it
  • CVE-2008-1738
    • anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution
  • CVE-2008-1737
    • anti-virus product allows DoS via zero-length field
  • CVE-2008-3464
    • driver does not validate input from userland to the kernel
  • CVE-2008-2252
    • kernel does not validate parameters sent in from userland, allowing code execution
  • CVE-2008-2374
    • lack of validation of string length fields allows memory consumption or buffer over-read
  • CVE-2008-1440
    • lack of validation of length field leads to infinite loop
  • CVE-2008-1625
    • lack of validation of input to an IOCTL allows code execution
  • CVE-2007-2442
    • zero-length input causes free of uninitialized pointer
  • CVE-2008-3680
    • packet with invalid version number leads to NULL pointer dereference
  • CVE-2008-3660
    • crash via multiple “.” characters in file extension
CWE

CWE-198 – Use of Incorrect Byte Ordering

Read Time:18 Second

Description

The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-188

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

CWE

CWE-197 – Numeric Truncation Error

Read Time:1 Minute, 11 Second

Description

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-681
CWE-681
CWE-681
CWE-195
CWE-196
CWE-192
CWE-194

 

Consequences

Integrity: Modify Memory

The true value of the data is lost and corrupted data is used.

 

Potential Mitigations

Phase: Implementation

Description: 

Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.

CVE References

  • CVE-2009-0231
    • Integer truncation of length value leads to heap-based buffer overflow.
  • CVE-2008-3282
    • Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.
CWE

CWE-196 – Unsigned to Signed Conversion Error

Read Time:1 Minute, 32 Second

Description

The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.

Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-681
CWE-681
CWE-681
CWE-124
CWE-120

 

Consequences

Availability: DoS: Crash, Exit, or Restart

Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.

Integrity: Modify Memory

If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected.

Integrity, Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase: Requirements

Description: 

Choose a language which is not subject to these casting flaws.

Phase: Architecture and Design

Description: 

Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors.

Phase: Implementation

Description: 

Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible.

CVE References

CWE

CWE-195 – Signed to Unsigned Conversion Error

Read Time:33 Second

Description

The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-681
CWE-681
CWE-681
CWE-119

 

Consequences

Integrity: Unexpected State

Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities.

 

Potential Mitigations

CVE References

  • CVE-2007-4268
    • Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
CWE

CWE-194 – Unexpected Sign Extension

Read Time:1 Minute, 49 Second

Description

The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-681
CWE-681
CWE-681

 

Consequences

Integrity, Confidentiality, Availability, Other: Read Memory, Modify Memory, Other

When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application’s allowable range.

 

Potential Mitigations

Phase: Implementation

Description: 

Avoid using signed variables if you don’t need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

CVE References

  • CVE-2018-10887
    • Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
  • CVE-1999-0234
    • Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
  • CVE-2003-0161
    • Product uses “char” type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
  • CVE-2007-4988
    • chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
  • CVE-2006-1834
    • chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
  • CVE-2005-2753
    • Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.
CWE

CWE-193 – Off-by-one Error

Read Time:3 Minute, 5 Second

Description

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-682
CWE-682
CWE-617
CWE-170
CWE-119

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: Modify Memory

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase: Implementation

Description: 

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

CVE References

  • CVE-2003-0252
    • Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.
  • CVE-2001-1391
    • Off-by-one vulnerability in driver allows users to modify kernel memory.
  • CVE-2002-0083
    • Off-by-one error allows local users or remote malicious servers to gain privileges.
  • CVE-2002-0653
    • Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.
  • CVE-2002-0844
    • Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.
  • CVE-1999-1568
    • Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.
  • CVE-2004-0346
    • Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.
  • CVE-2004-0005
    • Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.
  • CVE-2003-0356
    • Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code.
  • CVE-2001-1496
    • Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code.
  • CVE-2004-0342
    • This is an interesting example that might not be an off-by-one.
  • CVE-2001-0609
    • An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.
  • CVE-2002-1745
    • Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.
  • CVE-2002-1721
    • Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.
  • CVE-2003-0466
    • Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.
  • CVE-2003-0625
    • Off-by-one error allows read of sensitive memory via a malformed request.
  • CVE-2006-4574
    • Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.
CWE

CWE-192 – Integer Coercion Error

Read Time:1 Minute, 7 Second

Description

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-681

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Crash, Exit, or Restart

Integer coercion often leads to undefined states of execution resulting in infinite loops or crashes.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

In some cases, integer coercion errors can lead to exploitable buffer overflow conditions, resulting in the execution of arbitrary code.

Integrity, Other: Other

Integer coercion errors result in an incorrect value being stored for the variable in question.

 

Potential Mitigations

Phase: Requirements

Description: 

A language which throws exceptions on ambiguous data casts might be chosen.

Phase: Architecture and Design

Description: 

Design objects and program flow such that multiple or complex casts are unnecessary

Phase: Implementation

Description: 

Ensure that any data type casting that you must used is entirely understood in order to reduce the plausibility of error in use.

CVE References

News, Advisories and much more

Exit mobile version