CWE-696 不正确的行为次序
Incorrect Behavior Order
结构: Simple
Abstraction: Class
状态: Incomplete
被利用可能性: unkown
基本描述
The software performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 691 cwe_View_ID: 1000 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Integrity | Alter Execution Logic |
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2017-6964 | Linux-based device mapper encryption program does not check the return value of setuid and setgid allowing attackers to execute code with unintended privileges. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6964 |
| CVE-2007-5191 | file-system management programs call the setuid and setgid functions in the wrong order and do not check the return values, allowing attackers to gain unintended privileges | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191 |
| CVE-2007-1588 | C++ web server program calls Process::setuid before calling Process::setgid, preventing it from dropping privileges, potentially allowing CGI programs to be called with higher privileges than intended | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1588 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CERT C Secure Coding | POS36-C | CWE More Abstract | Observe correct revocation order while relinquishing privileges |
相关攻击模式
- CAPEC-463