Tag Archives: CVE-2008-2516

CWE-783 – Operator Precedence Logic Error

Read Time:1 Minute, 0 Second

Description

The program uses an expression in which operator precedence causes incorrect logic to be used.

While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-670

 

Consequences

Confidentiality, Integrity, Availability: Varies by Context, Unexpected State

The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Regularly wrap sub-expressions in parentheses, especially in security-critical code.

CVE References

 

  • CVE-2008-2516
    • Authentication module allows authentication bypass because it uses “(x = call(args) == SUCCESS)” instead of “((x = call(args)) == SUCCESS)”.
  • CVE-2008-0599
    • Chain: Language interpreter calculates wrong buffer size (CWE-131) by using “size = ptr ? X : Y” instead of “size = (ptr ? X : Y)” expression.
  • CVE-2001-1155
    • Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.