CWE

CWE-842 – Placement of User into Incorrect Group

Read Time:56 Second

Description

The software or the administrator places a user into an incorrect group.

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-286

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

CVE References

 

  • CVE-1999-1193
    • Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
  • CVE-2010-3716
    • Chain: drafted web request allows the creation of users with arbitrary group membership.
  • CVE-2008-5397
    • Chain: improper processing of configuration options causes users to contain unintended group memberships.
  • CVE-2007-6644
    • CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
  • CVE-2007-3260
    • Product assigns members to the root group, allowing escalation of privileges.
  • CVE-2002-0080
    • Chain: daemon does not properly clear groups before dropping privileges.
CWE

CWE-841 – Improper Enforcement of Behavioral Workflow

Read Time:1 Minute, 19 Second

Description

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-691

 

Consequences

Other: Alter Execution Logic

An attacker could cause the software to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.

 

Potential Mitigations

CVE References

 

  • CVE-2011-0348
    • Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.
  • CVE-2007-3012
    • Attacker can access portions of a restricted page by canceling out of a dialog.
  • CVE-2009-5056
    • Ticket-tracking system does not enforce a permission setting.
  • CVE-2004-2164
    • Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.
  • CVE-2003-0777
    • Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault.
  • CVE-2005-3327
    • Chain: Authentication bypass by skipping the first startup step as required by the protocol.
  • CVE-2004-0829
    • Chain: File server crashes when sent a “find next” request without an initial “find first.”
  • CVE-2010-2620
    • FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.
  • CVE-2005-3296
    • FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.
CWE

CWE-84 – Improper Neutralization of Encoded URI Schemes in a Web Page

Read Time:2 Minute, 8 Second

Description

The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-79

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Resolve all URIs to absolute or canonical representations before processing.

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2005-0563
    • Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL (“jav&#X41sc ript:”) in an IMG tag.
  • CVE-2005-2276
    • Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. “j&#X41vascript” in an IMG tag).
CWE

CWE-839 – Numeric Range Comparison Without Minimum Check

Read Time:1 Minute, 58 Second

Description

The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-1023
CWE-195
CWE-682
CWE-119
CWE-124

 

Consequences

Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

Availability: DoS: Resource Consumption (Other)

in some contexts, a negative value could lead to resource consumption.

Confidentiality, Integrity: Modify Memory, Read Memory

If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.

Phase: Implementation

Effectiveness:

Description: 

If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.

CVE References

 

  • CVE-2010-1866
    • Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow.
  • CVE-2009-1099
    • Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.
  • CVE-2011-0521
    • Chain: kernel’s lack of a check for a negative value leads to memory corruption.
  • CVE-2010-3704
    • Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.
  • CVE-2010-2530
    • Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.
  • CVE-2009-3080
    • Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.
  • CVE-2008-6393
    • chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.
  • CVE-2008-4558
    • chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.
CWE

CWE-838 – Inappropriate Encoding for Output Context

Read Time:1 Minute, 6 Second

Description

The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-116
CWE-116

 

Consequences

Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.

Phase: Architecture and Design

Effectiveness:

Description: 

Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.

Phase: Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2009-2814
    • Server does not properly handle requests that do not contain UTF-8 data; browser assumes UTF-8, allowing XSS.
CWE

CWE-837 – Improper Enforcement of a Single, Unique Action

Read Time:1 Minute, 26 Second

Description

The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction.

In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to “stuff the ballot box” by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-799

 

Consequences

Other:

An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the software.

 

Potential Mitigations

CVE References

 

  • CVE-2008-0294
    • Ticket-booking web application allows a user to lock a seat more than once.
  • CVE-2005-4051
    • CMS allows people to rate downloads by voting more than once.
  • CVE-2002-216
    • Polling software allows people to vote more than once by setting a cookie.
  • CVE-2003-1433
    • Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game.
  • CVE-2002-1018
    • Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book.
  • CVE-2009-2346
    • Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges.
CWE

CWE-836 – Use of Password Hash Instead of Password for Authentication

Read Time:37 Second

Description

The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-287
CWE-602

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

An attacker could bypass the authentication routine without knowing the original password.

 

Potential Mitigations

CVE References

 

  • CVE-2009-1283
    • Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
  • CVE-2005-3435
    • Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.
CWE

CWE-835 – Loop with Unreachable Exit Condition (‘Infinite Loop’)

Read Time:1 Minute, 27 Second

Description

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-834
CWE-834

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification

An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software’s operation may slow down, or cause a long time to respond.

 

Potential Mitigations

CVE References

 

  • CVE-2011-1027
    • Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters.
  • CVE-2011-1142
    • Chain: self-referential values in recursive definitions lead to infinite loop.
  • CVE-2011-1002
    • NULL UDP packet is never cleared from a queue, leading to infinite loop.
  • CVE-2006-6499
    • Chain: web browser crashes due to infinite loop – “bad
      looping logic [that relies on] floating point math [CWE-1339] to exit
      the loop [CWE-835]”
  • CVE-2010-4476
    • Floating point conversion routine cycles back and forth between two different values.
  • CVE-2010-4645
    • Floating point conversion routine cycles back and forth between two different values.
  • CVE-2010-2534
    • Chain: improperly clearing a pointer in a linked list leads to infinite loop.
  • CVE-2013-1591
    • Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.
  • CVE-2008-3688
    • Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server.
CWE

CWE-834 – Excessive Iteration

Read Time:1 Minute, 6 Second

Description

The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the software or its host system; it depends on the amount of resources consumed per iteration.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification, DoS: Crash, Exit, or Restart

Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The software’s operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to exhaustion of resources, such as an out-of-memory error.

 

Potential Mitigations

CVE References

 

  • CVE-2011-1027
    • Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters.
  • CVE-2006-6499
    • Chain: web browser crashes due to infinite loop – “bad
      looping logic [that relies on] floating point math [CWE-1339] to exit
      the loop [CWE-835]”
CWE

CWE-833 – Deadlock

Read Time:1 Minute, 22 Second

Description

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-667
CWE-662

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Other), DoS: Crash, Exit, or Restart

Each thread of execution will “hang” and prevent tasks from completing. In some cases, CPU consumption may occur if a lock check occurs in a tight loop.

 

Potential Mitigations

CVE References

 

  • CVE-1999-1476
    • A bug in some Intel Pentium processors allow DoS (hang) via an invalid “CMPXCHG8B” instruction, causing a deadlock
  • CVE-2009-4272
    • deadlock triggered by packets that force collisions in a routing table
  • CVE-2002-1850
    • read/write deadlock between web server and script
  • CVE-2004-0174
    • web server deadlock involving multiple listening connections
  • CVE-2009-1388
    • multiple simultaneous calls to the same function trigger deadlock.
  • CVE-2006-5158
    • chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).
  • CVE-2006-4342
    • deadlock when an operation is performed on a resource while it is being removed.
  • CVE-2006-2374
    • Deadlock in device driver triggered by using file handle of a related device.
  • CVE-2006-2275
    • Deadlock when large number of small messages cannot be processed quickly enough.
  • CVE-2005-3847
    • OS kernel has deadlock triggered by a signal during a core dump.
  • CVE-2005-2456
    • Chain: array index error (CWE-129) leads to deadlock (CWE-833)

News, Advisories and much more

Exit mobile version