CWE-209 通过错误消息导致的信息暴露
Information Exposure Through an Error Message
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: High
基本描述
The software generates an error message that includes sensitive information about its environment, users, or associated data.
扩展描述
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 755 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'PHP', 'cwe_Prevalence': 'Often'}, {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
范围 | 影响 | 注释 |
---|---|---|
Confidentiality | Read Application Data | Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server. |
检测方法
Manual Analysis
Automated Analysis
DM-2 Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.
DM-12 Manual Dynamic Analysis
可能的缓解方案
MIT-39 Implementation
策略:
Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success.
If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.
Implementation
策略:
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
MIT-33 Implementation
策略: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
MIT-40 ['Implementation', 'Build and Compilation']
策略: Compilation or Build Hardening
Debugging information should not make its way into a production release.
MIT-40 ['Implementation', 'Build and Compilation']
策略: Environment Hardening
Debugging information should not make its way into a production release.
System Configuration
策略:
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
System Configuration
策略:
Create default error pages or messages that do not leak any information.
示例代码
例
In the following example, sensitive information might be printed depending on the exception that occurs.
bad Java
}
catch (Exception e) {
}
If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem.
例
This code tries to open a database connection, and prints any exceptions that occur.
bad Java
}
//print exception message that includes exception message and configuration file location
catch (Exception $e) {
echo 'Check credentials in config file at: ', $Mysql_config_location, 'n';
}
If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database.
例
The following code generates an error message that leaks the full pathname of the configuration file.
bad Perl
$uname = GetUserInput("username");
# avoid CWE-22, CWE-78, others.
ExitError("Bad hacker!") if ($uname !~ /^w+$/);
$file = "$ConfigDir/$uname.txt";
if (! (-e $file)) {
}
...
If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application.
例
In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.
bad Java
String query = null;
try {
+ username + " AND accountID = " + accountNumber;
DatabaseManager dbManager = new DatabaseManager();
Connection conn = dbManager.getConnection();
Statement stmt = conn.createStatement();
ResultSet queryResult = stmt.executeQuery(query);
userAccount = (BankAccount)queryResult.getObject(accountNumber);
}
} catch (SQLException ex) {
Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);
}
return userAccount;
}
The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.
分析过的案例
标识 | 说明 | 链接 |
---|---|---|
CVE-2008-2049 | POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2049 |
CVE-2007-5172 | Program reveals password in error message if attacker can trigger certain database errors. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5172 |
CVE-2008-4638 | Composite: application running with high privileges allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638 |
CVE-2008-1579 | Existence of user names can be determined by requesting a nonexistent blog and reading the error message. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1579 |
CVE-2007-1409 | Direct request to library file in web application triggers pathname leak in error message. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1409 |
CVE-2008-3060 | Malformed input to login page causes leak of full path when IMAP call fails. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3060 |
CVE-2005-0603 | Malformed regexp syntax leads to information exposure in error message. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0603 |
CVE-2017-9615 | verbose logging stores admin credentials in a world-readablelog file | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9615 |
CVE-2018-1999036 | SSH password for private key stored in build log | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999036 |
分类映射
映射的分类名 | ImNode ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Accidental leaking of sensitive information through error messages | ||
OWASP Top Ten 2007 | A6 | CWE More Specific | Information Leakage and Improper Error Handling |
OWASP Top Ten 2004 | A7 | CWE More Specific | Improper Error Handling |
OWASP Top Ten 2004 | A10 | CWE More Specific | Insecure Configuration Management |
The CERT Oracle Secure Coding Standard for Java (2011) | ERR01-J | Do not allow exceptions to expose sensitive information | |
Software Fault Patterns | SFP23 | Exposed Data |
相关攻击模式
- CAPEC-214
- CAPEC-215
- CAPEC-463
- CAPEC-54
- CAPEC-7
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论