CWE-99 对资源描述符的控制不恰当(资源注入)

admin 2022年1月7日03:01:06CWE(弱点枚举)评论14 views4099字阅读13分39秒阅读模式

CWE-99 对资源描述符的控制不恰当(资源注入)

Improper Control of Resource Identifiers ('Resource Injection')

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High

基本描述

The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

扩展描述

A resource injection issue occurs when the following two conditions are met:

This may enable an attacker to access or modify otherwise protected system resources.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 74 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 74 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: PeerOf cwe_CWE_ID: 706 cwe_View_ID: 1000

  • cwe_Nature: CanAlsoBe cwe_CWE_ID: 73 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity'] ['Read Application Data', 'Modify Application Data', 'Read Files or Directories', 'Modify Files or Directories'] An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.

可能的缓解方案

MIT-5 Implementation

策略: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

示例代码

The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.

bad Java

String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();

The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.

bad C++

ifstream ifs(argv[0]);
string s;
ifs >> s;
cout

The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections.

Notes

Relationship
Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).
Maintenance
The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.
Other

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Resource Injection
Software Fault Patterns SFP24 Tainted input to command
OMG ASCSM ASCSM-CWE-99

相关攻击模式

  • CAPEC-10
  • CAPEC-240
  • CAPEC-75

引用

文章来源于互联网:scap中文网

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月7日03:01:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-99 对资源描述符的控制不恰当(资源注入) http://cn-sec.com/archives/612657.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: