CWE-494 下载代码缺少完整性检查
Download of Code Without Integrity Check
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: Medium
基本描述
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
扩展描述
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 669 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 669 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: PeerOf cwe_CWE_ID: 79 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Availability', 'Confidentiality', 'Other'] | ['Execute Unauthorized Code or Commands', 'Alter Execution Logic', 'Other'] | Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users. |
检测方法
DM-7.4 Manual Analysis
This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.
Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.
These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
DM-11 Black Box
Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.
Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.
可能的缓解方案
MIT-42 Implementation
策略:
Perform proper forward and reverse DNS lookups to detect DNS spoofing.
['Architecture and Design', 'Operation']
策略:
Encrypt the code with a reliable encryption scheme before transmitting.
This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.
MIT-4 Architecture and Design
策略: Libraries or Frameworks
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code.
MIT-17 ['Architecture and Design', 'Operation']
策略: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
MIT-22 ['Architecture and Design', 'Operation']
策略: Sandbox or Jail
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
示例代码
例
This example loads an external class from a local subdirectory.
bad Java
};
URLClassLoader loader = new URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);
This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code.
例
This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
bad PHP
function authenticate($username,$password){
include("http://external.example.com/dbInfo.php");
//dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available
mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
mysql_select_db($dbname);
$query = 'Select * from users where username='.$username.' And password='.$password;
$result = mysql_query($query);
if(mysql_numrows($result) == 1){
return true;
}
else{
return false;
}
}
This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow himself to access the application without a real user account.
This example is also vulnerable to a Man in the Middle (CWE-300) attack.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2008-3438 | OS does not verify authenticity of its own updates. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3438 |
| CVE-2008-3324 | online poker client does not verify authenticity of its own updates. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3324 |
| CVE-2001-1125 | anti-virus product does not verify automatic updates for itself. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1125 |
| CVE-2002-0671 | VOIP phone downloads applications from web sites without verifying integrity. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0671 |
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Invoking untrusted mobile code | ||
| The CERT Oracle Secure Coding Standard for Java (2011) | SEC06-J | Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar | |
| Software Fault Patterns | SFP27 | Tainted input to environment |
相关攻击模式
- CAPEC-184
- CAPEC-185
- CAPEC-186
- CAPEC-187
- CAPEC-533
引用
-
REF-457 Secure Software Updates: Disappointments and New Challenges
-
REF-459 Top 25 Series - Rank 20 - Download of Code Without Integrity Check
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论