界: Security Features

软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。

File Permission Manipulation

Abstract

允许用户输入以直接更改文件权限可能导致攻击者能够访问以其他方式保护的系统资源。

Explanation

当满足以下任一条件时，就会发生 File Permission Manipulation 错误：

1.攻击者可能会指定操作中所用的路径，以修改文件系统上的权限。

2.攻击者可能会指定文件系统上的操作所分配的权限。

示例 1：以下代码使用系统环境变量中的输入设置文件权限。如果攻击者可更改系统环境变量，则他们可能会使用该程序获得程序所处理文件的访问权限。如果程序依然易受 Path Manipulation 的攻击，那么攻击者可能会利用这一漏洞来访问系统中的任意文件。


    permissions := strconv.Atoi(os.Getenv("filePermissions"));
    fMode := os.FileMode(permissions)
    os.chmod(filePath, fMode);
    ...

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732

[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[6] Standards Mapping - FIPS200 AC

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs

[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1

[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732

[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732

[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732

[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[44] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.dataflow.golang.file_permission_manipulation

Abstract

允许用户输入以直接更改文件权限可能导致攻击者能够访问以其他方式保护的系统资源。

Explanation

当满足以下任一条件时，就会产生 file permission manipulation 错误：

1. 攻击者能够指定在 file system 中修改权限的操作所使用的路径。

2. 攻击者能够指定 file system 上的操作所分配的权限。

示例 1：以下代码使用来自系统属性的输入来设置默认权限掩码。如果攻击者更改了系统属性，则他们可以使用该程序获得该程序所处理文件的访问权限。如果程序还容易受路径篡改攻击，那么攻击者可能会利用这一漏洞访问系统中的任意文件。


  String permissionMask = System.getProperty("defaultFileMask");
  Path filePath = userFile.toPath();
  ...
  Set<PosixFilePermission> perms = PosixFilePermissions.fromString(permissionMask);
  Files.setPosixFilePermissions(filePath, perms);
...

References

[1] FIO01-J. Create files with appropriate access permissions CERT

[2] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[7] Standards Mapping - FIPS200 AC

[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[11] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs

[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732

[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732

[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[45] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.dataflow.java.file_permission_manipulation

Abstract

允许用户输入以直接更改文件权限可能导致攻击者能够访问以其他方式保护的系统资源。

Explanation

当满足以下任一条件时，就会产生 file permission manipulation 错误：

1. 攻击者能够指定在 file system 中修改权限的操作所使用的路径。

2. 攻击者能够指定 file system 上的操作所分配的权限。

示例：以下代码旨在为用户设置适当的文件权限以通过 FTP 上载网页。它使用来自 HTTP 请求的输入将文件标记为外部用户可查看的文件。


	$rName = $_GET['publicReport'];
	chmod("/home/". authenticateUser . "/public_html/" . rName,"0755");
...

但是，如果攻击者为 publicReport 提供恶意值（例如，../../localuser/public_html/.htpasswd），那么应用程序将允许攻击者读取指定文件。

示例 2：以下代码使用来自配置文件的输入来设置默认权限掩码。如果攻击者可以篡改配置文件，则他们可以使用该程序获得该程序所处理文件的访问权限。如果程序还容易受路径篡改攻击，那么攻击者可能会利用这一漏洞访问系统中的任意文件。


...
$mask = $CONFIG_TXT['perms'];
chmod($filename,$mask);
...

References

[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley