CWE-441 未有动机的代理或中间人（混淆代理）

Unintended Proxy or Intermediary ('Confused Deputy')

结构: Simple

Abstraction: Class

状态: Draft

被利用可能性: unkown

基本描述

The software receives a request, message, or directive from an upstream component, but the software does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the software's control sphere. This causes the software to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

扩展描述

If an attacker cannot directly contact a target, but the software has access to the target, then the attacker can send a request to the software and have it be forwarded from the target. The request would appear to be coming from the software's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker.

Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when:

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
['Non-Repudiation', 'Access Control']	['Gain Privileges or Assume Identity', 'Hide Activities']

可能的缓解方案

Architecture and Design

策略:

Enforce the use of strong mutual authentication mechanism between the two parties.

分析过的案例

标识	说明	链接
CVE-1999-0017	FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0017
CVE-1999-0168	RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0168
CVE-2005-0315	FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0315
CVE-2002-1484	Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1484
CVE-2004-2061	CGI script accepts and retrieves incoming URLs.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2061
CVE-2001-1484	Bounce attack allows access to TFTP from trusted side.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1484
CVE-2010-1637	Web-based mail program allows internal network scanning using a modified POP3 port number.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1637
CVE-2009-0037	URL-downloading library automatically follows redirects to file:// and scp:// URLs	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037

Notes

Relationship This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain. Maintenance This could possibly be considered as an emergent resource. Theoretical It could be argued that the "confused deputy" is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.

分类映射

映射的分类名	ImNode ID	Mapped Node Name
PLOVER		Unintended proxy/intermediary
PLOVER		Proxied Trusted Channel
WASC	32	Routing Detour

引用

REF-432 The Confused Deputy (or why capabilities might have been invented)

VULHUB ™