CWE-626 空字节交互错误

Null Byte Interaction Error (Poison Null Byte)

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

扩展描述

A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected.

The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 699 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 436 cwe_View_ID: 1000

• cwe_Nature: ChildOf cwe_CWE_ID: 436 cwe_View_ID: 699

适用平台

Language: [{'cwe_Name': 'PHP', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Perl', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'ASP.NET', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围	影响	注释
Integrity	Unexpected State

可能的缓解方案

Implementation

策略:

Remove null bytes from all incoming strings.

分析过的案例

标识	说明	链接
CVE-2005-4155	NUL byte bypasses PHP regular expression check	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155
CVE-2005-3153	inserting SQL after a NUL byte bypasses whitelist regexp, enabling SQL injection	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153

Notes

Terminology
Current usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.
Research Gap
There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.

引用

• REF-514 Poison NULL byte

• REF-515 0x00 vs ASP file upload scripts

• REF-516 ShAnKaR: multiple PHP application poison NULL byte vulnerability

文章来源于互联网:scap中文网