Reino: Input Validation and Representation
Los problemas de validación y representación de entradas están causados por metacaracteres, codificaciones alternativas y representaciones numéricas. Los problemas de seguridad surgen de entradas en las que se confía. Estos problemas incluyen: «desbordamientos de búfer», ataques de «scripts de sitios», "SQL injection" y muchas otras acciones.
Integer Overflow
Abstract
Si no se tiene en cuenta el desbordamiento de enteros, se pueden producir errores lógicos o desbordamientos del búfer.
Explanation
Un desbordamiento de entero se produce cuando un programa no consigue contar con el hecho de que una operación aritmética puede dar como resultado una cantidad o bien mayor que el valor máximo del tipo de datos o inferior que su valor mínimo. A menudo, estos errores provocan problemas en las funciones de asignación de memoria, donde la entrada de un usuario se cruza con una conversión implícita entre los valores firmados y sin firma. Si un atacante puede provocar que el programa subasigne una memoria o interprete un valor firmado como un valor sin firmar en una operación de memoria, el programa puede ser vulnerable a un desbordamiento de búfer.
Ejemplo 1: El siguiente código, obtenido de OpenSSH 3.3, muestra un caso clásico de desbordamiento de enteros:
Si
Ejemplo 2: Este ejemplo procesa la entrada de usuario formada por una serie de estructuras de longitud variable. Los dos primeros bytes de entrada establecen el tamaño de la estructura que se va a procesar.
El programador ha establecido un límite superior en el tamaño de la estructura: si es mayor que
Ejemplo 1: El siguiente código, obtenido de OpenSSH 3.3, muestra un caso clásico de desbordamiento de enteros:
nresp = packet_get_int();
if (nresp > 0) {
response = xmalloc(nresp*sizeof(char*));
for (i = 0; i < nresp; i++)
response[i] = packet_get_string(NULL);
}
Si
nresp tiene el valor 1073741824 y sizeof(char*) tiene su valor típico de 4, el resultado de la operación nresp*sizeof(char*) se desbordaría y el argumento de xmalloc() sería 0. La mayor parte de las implementaciones de malloc() permitirán la asignación de un búfer de 0 bytes, lo que hará que las iteraciones de bucle posteriores desborden el búfer de montón response.Ejemplo 2: Este ejemplo procesa la entrada de usuario formada por una serie de estructuras de longitud variable. Los dos primeros bytes de entrada establecen el tamaño de la estructura que se va a procesar.
char* processNext(char* strm) {
char buf[512];
short len = *(short*) strm;
strm += sizeof(len);
if (len <= 512) {
memcpy(buf, strm, len);
process(buf);
return strm + len;
} else {
return -1;
}
}
El programador ha establecido un límite superior en el tamaño de la estructura: si es mayor que
512, la entrada no se procesará. El problema es que len es un entero con signo, de modo que la comprobación en relación con la longitud máxima de la estructura se realiza con enteros con signo, pero len se convierte en un entero sin signo para la llamada a memcpy(). Si len es negativo, parecerá que la estructura tiene un tamaño adecuado (se tomará la rama if), pero la cantidad de memoria copiada por memcpy() será bastante grande y el atacante podrá desbordar la pila con los datos de strm.References
[1] blexim Basic Integer Overflows Phrack
[2] D. Plakosh Coding Flaws That Lead to Security Failures 2nd Annual Hampton University Information Assurance Symposium
[3] Les Hatton Safer C: Developing Software for High-integrity and Safety-critical Systems McGraw-Hill Companies
[4] Standards Mapping - Common Weakness Enumeration CWE ID 190, CWE ID 191
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [8] CWE ID 190
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [11] CWE ID 190
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [12] CWE ID 190
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [13] CWE ID 190
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [14] CWE ID 190
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [23] CWE ID 190
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 7.5, Rule 7.6, Rule 21.18
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 5-19-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.3 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 682
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 190
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 190
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Smart Contract Weakness Classification SWC-101
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Integer Overflows (WASC-03)
desc.dataflow.cpp.integer_overflow
Abstract
No contar con un desbordamiento de entero puede llevar a errores de lógica y un desbordamiento de búfer.
Explanation
Un desbordamiento de entero se produce cuando un programa no consigue contar con el hecho de que una operación aritmética puede dar como resultado una cantidad o bien mayor que el valor máximo del tipo de datos o inferior que su valor mínimo. A menudo, estos errores provocan problemas en las funciones de asignación de memoria, donde la entrada de un usuario se cruza con una conversión implícita entre los valores firmados y sin firma. Si un atacante puede provocar que el programa subasigne una memoria o interprete un valor firmado como un valor sin firmar en una operación de memoria, el programa puede ser vulnerable a un desbordamiento de búfer.
Ejemplo 1: El siguiente extracto de código muestra un caso clásico de desbordamiento de entero:
Si
Ejemplo 1: El siguiente extracto de código muestra un caso clásico de desbordamiento de entero:
77 accept-in PIC 9(10).
77 num PIC X(4) COMP-5. *> native 32-bit unsigned integer
77 mem-size PIC X(4) COMP-5.
...
ACCEPT accept-in
MOVE accept-in TO num
MULTIPLY 4 BY num GIVING mem-size
CALL "CBL_ALLOC_MEM" USING
mem-pointer
BY VALUE mem-size
BY VALUE 0
RETURNING status-code
END-CALL
Si
num tiene el valor 1073741824, entonces el resultado de la operación MULTIPLY 4 BY num desborda, y el argumento mem-size a malloc() será 0. La mayoría de implementaciones de malloc() ayudarán a la asignación de un búfer de 0 byte, lo que provocará que el búfer de salto mem-pointer se desborde en declaraciones posteriores.References
[1] blexim Basic Integer Overflows Phrack
[2] D. Plakosh Coding Flaws That Lead to Security Failures 2nd Annual Hampton University Information Assurance Symposium
[3] Les Hatton Safer C: Developing Software for High-integrity and Safety-critical Systems McGraw-Hill Companies
[4] Standards Mapping - Common Weakness Enumeration CWE ID 190, CWE ID 191
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [8] CWE ID 190
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [11] CWE ID 190
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [12] CWE ID 190
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [13] CWE ID 190
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [14] CWE ID 190
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [23] CWE ID 190
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 7.5, Rule 7.6, Rule 21.18
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 5-19-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.3 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 682
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 190
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 190
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Smart Contract Weakness Classification SWC-101
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Integer Overflows (WASC-03)
desc.dataflow.cobol.integer_overflow