CWE-378 创建拥有不安全权限的临时文件
Creation of Temporary File With Insecure Permissions
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: High
基本描述
Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 377 cwe_View_ID: 1000 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | If the temporary file can be read by the attacker, sensitive information may be in that file which could be revealed. |
| ['Authorization', 'Other'] | Other | If that file can be written to by the attacker, the file might be moved into a place to which the attacker does not have access. This will allow the attacker to gain selective resource access-control privileges. |
| ['Integrity', 'Other'] | Other | Depending on the data stored in the temporary file, there is the potential for an attacker to gain an additional input vector which is trusted as non-malicious. It may be possible to make arbitrary changes to data structures, user information, or even process ownership. |
可能的缓解方案
Requirements
策略:
Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
Implementation
策略:
Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file.
Implementation
策略:
Randomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places.
示例代码
例
In the following code examples a temporary file is created and written to and after using the temporary file the file is closed and deleted from the file system.
bad C
if( (stream = tmpfile()) == NULL ) {
perror("Could not open new temporary file\n");
return (-1);
// write data to tmp file
...
// remove tmp file
rmtmp();
However, within this C/C++ code the method tmpfile() is used to create and open the temp file. The tmpfile() method works the same way as the fopen() method would with read/write permission, allowing attackers to read potentially sensitive information contained in the temp file or modify the contents of the file.
bad Java
temp.deleteOnExit();
BufferedWriter out = new BufferedWriter(new FileWriter(temp));
out.write("aString");
out.close();
catch (IOException e) {
}
Similarly, the createTempFile() method used in the Java code creates a temp file that may be readable and writable to all users.
Additionally both methods used above place the file into a default directory. On UNIX systems the default directory is usually "/tmp" or "/var/tmp" and on Windows systems the default directory is usually "C:\Windows\Temp", which may be easily accessible to attackers, possibly enabling them to read and modify the contents of the temp file.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Improper temp file opening |