CWE

CWE-828 – Signal Handler with Functionality that is not Asynchronous-Safe

Read Time:1 Minute, 31 Second

Description

The software defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-364

 

Consequences

Integrity, Confidentiality, Availability: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands

The most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure.

 

Potential Mitigations

Phase: Implementation, Architecture and Design

Effectiveness: High

Description: 

Phase: Implementation

Effectiveness:

Description: 

Where non-reentrant functionality must be leveraged within a signal handler, be sure to block or mask signals appropriately. This includes blocking other signals within the signal handler itself that may also leverage the functionality. It also includes blocking all signals reliant upon the functionality when it is being accessed or modified by the normal behaviors of the software.

CVE References

 

  • CVE-2008-4109
    • Signal handler uses functions that ultimately call the unsafe syslog/malloc/s*printf, leading to denial of service via multiple login attempts
  • CVE-2006-5051
    • Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
  • CVE-2001-1349
    • unsafe calls to library functions from signal handler
  • CVE-2004-0794
    • SIGURG can be used to remotely interrupt signal handler; other variants exist.
  • CVE-2004-2259
    • SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.
  • CVE-2002-1563
    • SIGCHLD not blocked in a daemon loop while counter is modified, causing counter to get out of sync.
CWE

CWE-827 – Improper Control of Document Type Definition

Read Time:1 Minute, 3 Second

Description

The software does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the software to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-706
CWE-829
CWE-776

 

Consequences

Confidentiality: Read Files or Directories

If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

The DTD may cause the parser to consume excessive CPU cycles or memory using techniques such as nested or recursive entity references (CWE-776).

Integrity, Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server’s trust relationship with other entities.

 

Potential Mitigations

CVE References

 

  • CVE-2010-2076
    • Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service.
CWE

CWE-826 – Premature Release of Resource During Expected Lifetime

Read Time:1 Minute, 9 Second

Description

The program releases a resource that is still intended to be used by the program itself or another actor.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-666
CWE-672

 

Consequences

Confidentiality: Read Application Data, Read Memory

If the released resource is subsequently reused or reallocated, then a read operation on the original resource might access sensitive data that is associated with a different user or entity.

Availability: DoS: Crash, Exit, or Restart

When the resource is released, the software might modify some of its structure, or close associated channels (such as a file descriptor). When the software later accesses the resource as if it is valid, the resource might not be in an expected state, leading to resultant errors that may lead to a crash.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Application Data, Modify Memory

When the resource is released, the software might modify some of its structure. This might affect program logic in the sections of code that still assume the resource is active. If the released resource is related to memory and is used in a function call, or points to unexpected data in a write operation, then code execution may be possible upon subsequent accesses.

 

Potential Mitigations

CVE References

 

  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
CWE

CWE-825 – Expired Pointer Dereference

Read Time:1 Minute, 50 Second

Description

The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

When a program releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the program to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-672
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the expired pointer is used in a read operation, an attacker might be able to control data read in by the application.

Availability: DoS: Crash, Exit, or Restart

If the expired pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” (such as NULL) or larger than expected by a read or write operation, then a crash may occur.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If the expired pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Choose a language that provides automatic memory management.

Phase: Implementation

Effectiveness:

Description: 

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

CVE References

 

  • CVE-2008-5013
    • access of expired memory address leads to arbitrary code execution
  • CVE-2010-3257
    • stale pointer issue leads to denial of service and possibly other consequences
  • CVE-2008-0062
    • Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.
  • CVE-2007-1211
    • read of value at an offset into a structure after the offset is no longer valid
CWE

CWE-824 – Access of Uninitialized Pointer

Read Time:1 Minute, 54 Second

Description

The program accesses or uses a pointer that has not been initialized.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the uninitialized pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the uninitialized pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” (such as NULL) or larger than expected by a read or write operation, then a crash may occur.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If the uninitialized pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

CVE References

 

  • CVE-2010-0211
    • chain: unchecked return value (CWE-252) leads to free of invalid, uninitialized pointer (CWE-824).
  • CVE-2009-2768
    • Pointer in structure is not initialized, leading to NULL pointer dereference (CWE-476) and system crash.
  • CVE-2009-1415
    • Improper handling of invalid signatures leads to free of invalid pointer.
  • CVE-2009-0846
    • Invalid encoding triggers free of uninitialized pointer.
  • CVE-2009-0040
    • Crafted PNG image leads to free of uninitialized pointer.
  • CVE-2008-2934
    • Crafted GIF image leads to free of uninitialized pointer.
  • CVE-2007-4682
    • Access of uninitialized pointer might lead to code execution.
  • CVE-2007-4639
    • Step-based manipulation: invocation of debugging function before the primary initialization function leads to access of an uninitialized pointer and code execution.
  • CVE-2007-4000
    • Unchecked return values can lead to a write to an uninitialized pointer.
  • CVE-2007-2442
    • zero-length input leads to free of uninitialized pointer.
  • CVE-2007-1213
    • Crafted font leads to uninitialized function pointer.
  • CVE-2006-6143
    • Uninitialized function pointer in freed memory is invoked
  • CVE-2006-4175
    • LDAP server mishandles malformed BER queries, leading to free of uninitialized memory
  • CVE-2006-0054
    • Firewall can crash with certain ICMP packets that trigger access of an uninitialized pointer.
  • CVE-2003-1201
    • LDAP server does not initialize members of structs, which leads to free of uninitialized pointer if an LDAP request fails.
CWE

CWE-823 – Use of Out-of-range Pointer Offset

Read Time:2 Minute, 4 Second

Description

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

CVE References

 

  • CVE-2010-2160
    • Invalid offset in undocumented opcode leads to memory corruption.
  • CVE-2010-1281
    • Multimedia player uses untrusted value from a file when using file-pointer calculations.
  • CVE-2009-3129
    • Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
  • CVE-2009-2694
    • Instant messaging library does not validate an offset value specified in a packet.
  • CVE-2009-2687
    • Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
  • CVE-2010-2873
    • “blind trust” of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
  • CVE-2010-2866
    • negative value (signed) causes pointer miscalculation
  • CVE-2010-2872
    • signed values cause incorrect pointer calculation
  • CVE-2010-2867
    • a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
  • CVE-2009-1097
    • portions of a GIF image used as offsets, causing corruption of an object pointer.
  • CVE-2008-1807
    • invalid numeric field leads to a free of arbitrary memory locations, then code execution.
  • CVE-2007-2500
    • large number of elements leads to a free of an arbitrary address
  • CVE-2008-1686
    • array index issue (CWE-129) with negative offset, used to dereference a function pointer
CWE

CWE-822 – Untrusted Pointer Dereference

Read Time:1 Minute, 38 Second

Description

The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

CVE References

 

  • CVE-2007-5655
    • message-passing framework interprets values in packets as pointers, causing a crash.
  • CVE-2010-2299
    • labeled as a “type confusion” issue, also referred to as a “stale pointer.” However, the bug ID says “contents are simply interpreted as a pointer… renderer ordinarily doesn’t supply this pointer directly”. The “handle” in the untrusted area is replaced in one function, but not another – thus also, effectively, exposure to wrong sphere (CWE-668).
  • CVE-2009-1719
    • Untrusted dereference using undocumented constructor.
  • CVE-2009-1250
    • An error code is incorrectly checked and interpreted as a pointer, leading to a crash.
  • CVE-2009-0311
    • An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.
  • CVE-2010-1818
    • Undocumented attribute in multimedia software allows “unmarshaling” of an untrusted pointer.
  • CVE-2010-3189
    • ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer.
  • CVE-2010-1253
    • Spreadsheet software treats certain record values that lead to “user-controlled pointer” (might be untrusted offset, not untrusted pointer).
CWE

CWE-821 – Incorrect Synchronization

Read Time:29 Second

Description

The software utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

If access to a shared resource is not correctly synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-662
CWE-662
CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

CVE References

 

CWE

CWE-820 – Missing Synchronization

Read Time:29 Second

Description

The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-662
CWE-662
CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

CVE References

 

CWE

CWE-82 – Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

Read Time:1 Minute, 24 Second

Description

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim’s browser. Note that when the page is loaded into a user’s browsers, the exploit will automatically execute.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-83

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2006-3211
    • Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.

News, Advisories and much more

Exit mobile version