5 个项目已找到

弱点

Reflected File Download

Java/JSP

Abstract

应用程序允许攻击者创建 URL，强制下载看似来自受信任域的任意内容。

Explanation

Reflected File Download (RFD) 是一种漏洞，攻击者可以利用该漏洞创建网络钓鱼 URL 或页面，一旦有用户访问 URL 或页面，则开始下载包含看似来自受信任域的任意内容的文件。由于用户信任给定的域，他/她很可能会打开下载的文件，进而可能导致执行恶意代码。

为确保攻击者成功发动 RFD 攻击，需要满足以下要求：
- 目标应用程序在未经适当验证或编码的情况下反映用户输入。此类漏洞用于注入有效负载。
- 目标应用程序允许许可 URL。因此，攻击者可以控制下载文件的名称和扩展名。
- 目标应用程序的 Content-Disposition 标头配置错误，攻击者可以控制 HTTP 响应的 Content-Type 和/或 Content-Disposition 标头，或者目标应用程序包含 Content-Type（默认不会在浏览器中呈现）。

例如，如果应用程序使用 Spring Web MVC ContentNegotiationManager 动态生成不同的响应格式，则满足发动 RFD 攻击的必要条件。

ContentNegotiationManager 配置为根据请求路径扩展决定响应格式，使用 Java Activation Framework (JAF) 查找与客户端请求格式更匹配的 Content-Type。同时，客户端也可以通过请求的 Accept 标头中发送的媒体类型来指定响应内容类型。

示例 1：在以下示例中，应用程序配置为允许通过路径扩展策略和 Java Activation Framework 确定响应内容类型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="favorPathExtension" value="true" />
  <property name="useJaf" value="true" />
</bean>

示例 2：在以下示例中，应用程序配置为允许通过请求的 Accept 标头确定响应内容类型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="ignoreAcceptHeader" value="false" />
</bean>

请注意，Spring 4.2.1 的 ContentNegotiationManagerFactoryBean 属性默认值为：

- useJaf：true
- favorPathExtension：true
- ignoreAcceptHeader：falseExample 1 中所示的配置允许攻击者创建一个恶意 URL，例如：

http://server/some/resource/endpoint/foo.bat?input=payload

因此，ContentNegotiationManager 将使用 Java Activation Framework（如果在类路径中发现 activation.jar）尝试解析给定文件扩展名的媒体类型，并相应设置响应的 ContentType 标头。在此示例中，文件扩展名是“bat”，进而生成 application/x-msdownload 的 Content-Type 标头（尽管实际 Content-Type 可能因服务器 OS 和 JAF 配置而异）。因此，一旦受害者访问此恶意 URL，他/她的计算机将自动开始下载包含攻击者控制内容的“.bat”文件。如果随后执行此文件，受害者计算机将运行攻击者有效负载指定的任何命令。

References

[1] Oren Hafif Reflected File Download - A New Web Attack Vector

[2] Alvaro Munoz Reflected File Download in Spring MVC

[3] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 233

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)

[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2010 A1 Injection

[20] Standards Mapping - OWASP Top 10 2013 A1 Injection

[21] Standards Mapping - OWASP Top 10 2017 A1 Injection

[22] Standards Mapping - OWASP Top 10 2021 A03 Injection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.6

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079

[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.config.java.reflected_file_download

Undefined Behavior

C/C++

Abstract

除非该函数的控制参数设置为一个特定值，否则无法定义的行为。

Explanation

The Linux Standard Base Specification 2.0.1 for libc 对一些内部函数的参数进行了限制 [1]。如果函数的参数不满足这些约束条件，将无法定义函数的行为。

在下列 file system 函数中，值 1 必须传递给第一个参数（版本号）：


	__xmknod

在下列宽字符字符串函数中，数值 2 必须传递给第三个参数（组参数）：


__wcstod_internal
__wcstof_internal
_wcstol_internal
__wcstold_internal
__wcstoul_internal

在下列 file system 函数中，数值 3 必须作为第一参数（版本号）进行传递：


__xstat
__lxstat
__fxstat
__xstat64
__lxstat64
__fxstat64

References

[1] The Linux Standard Base Specification 2.0.1, Interfaces Definitions for libc.

[2] Standards Mapping - Common Weakness Enumeration CWE ID 475

[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3

desc.semantic.cpp.undefined_behavior

Undefined Behavior: File Pointer Dereference

C/C++

Abstract

应用程序使用取消引用系统 FILE 对象的赋值。

Explanation

根据所使用的特定 C 编译器，系统 FILE 对象的地址对于将 FILE 对象用作流可能很重要。使用没有关联地址的 FILE 对象的副本可能会导致未定义的行为，从而造成潜在的系统信息泄露、系统崩溃或者使恶意操作者能够随意读取或编辑文件。

示例 1：以下代码显示了取消引用并通过值复制的系统 FILE 对象。


FILE *sysfile = fopen(test.file, "w+");
FILE insecureFile = *sysfile;

由于 sysfile 在 insecureFile 的赋值中被取消引用，使用 insecureFile 会导致各种各样的问题。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 706

[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.5

desc.structural.cpp.undefined_behavior_file_pointer_dereference

Undefined Behavior: File Pointer Use After Close

C/C++

Abstract

应用程序对已关闭的文件指针使用文件操作。

Explanation

在系统 FILE 对象关联的流关闭后对该对象执行文件操作会导致未定义的行为。根据所使用的具体 C 编译器，文件操作可能会导致系统崩溃，甚至可能导致修改或读取相同或不同的文件。

示例 1：以下代码显示在关闭相应流之后尝试读取系统 FILE 对象。


FILE *sysfile = fopen(test.file, "r+");
res = fclose(sysfile);
if(res == 0){
    printf("%c", getc(sysfile));    
}

因为 getc() 函数在 sysfile 文件流关闭之后运行，getc() 导致未定义的行为，并可能导致系统崩溃，或者可能导致修改或读取相同或不同的文件。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 910

[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.6

desc.controlflow.cpp.undefined_behavior_file_pointer_use_after_close

Undefined Behavior: Redundant Delete

C/C++

Abstract

显式删除托管指针将导致程序崩溃或无法正常运行。

Explanation

删除托管指针后，如果指针管理代码假设该指针仍然有效，将引发程序崩溃或执行错误的操作。以下示例可说明这一错误。


  std::auto_ptr<foo> p(new foo);
  foo* rawFoo = p.get();
  delete rawFoo;

仅当托管指针类支持“分离”操作，允许程序员控制特定指针的内存管理时，此规则不适用。如果程序在调用 delete 之前将指针从管理类中分离出来，则管理类知道以后不再使用该指针。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 730

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[28] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[29] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.cpp.redundant_delete