CWE-409 对高度压缩数据的处理不恰当（数据放大攻击）

Improper Handling of Highly Compressed Data (Data Amplification)

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

扩展描述

An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 405 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 405 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Availability	['DoS: Amplification', 'DoS: Crash, Exit, or Restart', 'DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)']	System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.

示例代码

例

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

attack XML

分析过的案例

标识	说明	链接
CVE-2009-1955	XML bomb in web server module	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
CVE-2003-1564	Parsing library allows XML bomb	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Data Amplification
The CERT Oracle Secure Coding Standard for Java (2011)	IDS04-J		Limit the size of files passed to ZipInputStream

文章来源于互联网:scap中文网