[Forgot Password]
Login  Register Subscribe

25354

 
 

132805

 
 

139226

 
 

909

 
 

113180

 
 

156

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Download of Code Without Integrity Check

ID: 494Date: (C)2012-05-14   (M)2020-01-25
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Extended Description

An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.

Likelihood of Exploit: Medium

Applicable Platforms
Language Class: Language-independent

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Availability
Confidentiality
Other
 
Execute unauthorized code or commands
Alter execution logic
Other
 
Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.
 

Detection Methods

NameDescriptionEffectivenessNotes
Manual Analysis
 
This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.
Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.
 
  
Black Box
 
Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.
Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.
 
  

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Perform proper forward and reverse DNS lookups to detect DNS spoofing.
 
 This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit.
 
Architecture and Design
Operation
 
 Encrypt the code with a reliable encryption scheme before transmitting.
This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.
 
  
Architecture and Design
 
Libraries or Frameworks
 
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code.

 
  
Architecture and Design
Operation
 
Environment Hardening
 
Run your code using the lowest privileges that are required to accomplish the necessary tasks [R.494.7]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
 
  
Architecture and Design
Operation
 
Sandbox or Jail
 
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
 
Limited
 
The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
 

Relationships

Related CWETypeViewChain
CWE-494 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
  2. This example loads an external class from a local subdirectory.

Observed Examples

  1. CVE-2008-3438 : OS does not verify authenticity of its own updates.
  2. CVE-2008-3324 : online poker client does not verify authenticity of its own updates.
  3. CVE-2001-1125 : anti-virus product does not verify automatic updates for itself.
  4. CVE-2002-0671 : VOIP phone downloads applications from web sites without verifying integrity.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
CLASP  Invoking untrusted mobile code
 
 
CERT Java Secure Coding SEC06-J
 
Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
 
 

References:

  1. Microsoft .Introduction to Code Signing.
  2. Microsoft .Authenticode.
  3. Apple .Code Signing Guide. Apple Developer Connection. 2008-11-19.
  4. Anthony Bellissimo John Burgess Kevin Fu .Secure Software Updates: Disappointments and New Challenges.
  5. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 18: The Sins of Mobile Code." Page 267'. Published on 2010.
  6. Johannes Ullrich .Top 25 Series - Rank 20 - Download of Code Without Integrity Check. SANS Software Security Institute. 2010-04-05.
  7. Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
CVE    12
CVE-2017-2739
CVE-2017-2707
CVE-2019-16760
CVE-2010-3440
...

© SecPod Technologies